From 4dcefe4b9520bc53dbd961e7d5e19a6f8c72c268 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 13 Jun 2010 10:40:07 +0200 Subject: [PATCH] xt_geoip: fix possible out-of-bounds access It is possible for geoip_bsearch() to pick mid == sizeof(subnets). Consider a set with a single entry and a "address to test" higher than the range: 1st call: lo = 0, hi = 1 -> mid will be 0 2nd call: lo = 1, hi = 1 -> mid will be 1 On the 2nd call, we'll examine random data. Reported-by: Florian Westphal --- extensions/xt_geoip.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/extensions/xt_geoip.c b/extensions/xt_geoip.c index 4c6b29f..44e489d 100644 --- a/extensions/xt_geoip.c +++ b/extensions/xt_geoip.c @@ -126,13 +126,13 @@ static bool geoip_bsearch(const struct geoip_subnet *range, { int mid; - if (hi < lo) + if (hi <= lo) return false; mid = (lo + hi) / 2; if (range[mid].begin <= addr && addr <= range[mid].end) return true; if (range[mid].begin > addr) - return geoip_bsearch(range, addr, lo, mid - 1); + return geoip_bsearch(range, addr, lo, mid); else if (range[mid].end < addr) return geoip_bsearch(range, addr, mid + 1, hi);