From 759546f8d01242270c80be37c3dd8e8b1c8aa1a7 Mon Sep 17 00:00:00 2001
From: Florian Westphal <jengelh@medozas.de>
Date: Wed, 18 Apr 2012 14:13:28 +0200
Subject: [PATCH] xt_psd: avoid crash due to curr->next corruption

curr->ports[] is of size SCAN_MAX_COUNT - 1, so under certain
conditions we wrote past end of array, corrupting ->next pointer
of the adjacent host entry.

Reported-and-tested-by: Serge Leschinsky <serge.leschinsky@gmail.com>
---
 doc/changelog.txt   | 2 ++
 extensions/xt_psd.c | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/doc/changelog.txt b/doc/changelog.txt
index 1f6e22a..2fe752b 100644
--- a/doc/changelog.txt
+++ b/doc/changelog.txt
@@ -1,6 +1,8 @@
 
 HEAD
 ====
+Fixes:
+- xt_psd: avoid crash due to curr->next corruption
 
 
 v1.42 (2012-04-05)
diff --git a/extensions/xt_psd.c b/extensions/xt_psd.c
index 46b2831..acb5e8e 100644
--- a/extensions/xt_psd.c
+++ b/extensions/xt_psd.c
@@ -227,7 +227,7 @@ xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match)
 				goto out_match;
 
 			/* Remember the new port */
-			if (curr->count < SCAN_MAX_COUNT) {
+			if (curr->count < ARRAY_SIZE(curr->ports)) {
 				curr->ports[curr->count].number = dest_port;
 				curr->ports[curr->count].proto = proto;
 				curr->ports[curr->count].and_flags = tcp_flags;