anonfunc/xtables-addons
1
0
Fork 0
mirror of git://git.code.sf.net/p/xtables-addons/xtables-addons synced 2025-09-21 12:04:56 +02:00
Code Issues Releases Wiki Activity

xt_psd: avoid crash due to curr->next corruption

Browse Source 
curr->ports[] is of size SCAN_MAX_COUNT - 1, so under certain
conditions we wrote past end of array, corrupting ->next pointer
of the adjacent host entry.

Reported-and-tested-by: Serge Leschinsky <serge.leschinsky@gmail.com>
This commit is contained in:
Florian Westphal
2012-04-18 14:13:28 +02:00
committed by Jan Engelhardt
parent 72b1421783
commit 759546f8d0
2 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
doc/changelog.txt
View File

@@ -1,6 +1,8 @@
HEAD HEAD
==== ====
Fixes:
- xt_psd: avoid crash due to curr->next corruption
v1.42 (2012-04-05) v1.42 (2012-04-05)

2
extensions/xt_psd.c
View File

@@ -227,7 +227,7 @@ xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match)
goto out_match; goto out_match;
/* Remember the new port */ /* Remember the new port */
if (curr->count < SCAN_MAX_COUNT) { if (curr->count < ARRAY_SIZE(curr->ports)) {
curr->ports[curr->count].number = dest_port; curr->ports[curr->count].number = dest_port;
curr->ports[curr->count].proto = proto; curr->ports[curr->count].proto = proto;
curr->ports[curr->count].and_flags = tcp_flags; curr->ports[curr->count].and_flags = tcp_flags;