xt_psd: avoid crash due to curr->next corruption

curr->ports[] is of size SCAN_MAX_COUNT - 1, so under certain conditions we wrote past end of array, corrupting ->next pointer of the adjacent host entry. Reported-and-tested-by: Serge Leschinsky <serge.leschinsky@gmail.com>
2025-09-20 19:44:56 +02:00 · 2012-04-18 14:13:28 +02:00
parent 72b1421783
commit 759546f8d0
2 changed files with 3 additions and 1 deletions
--- a/doc/changelog.txt
+++ b/doc/changelog.txt
@@ -1,6 +1,8 @@

 HEAD
 ====
+Fixes:
+- xt_psd: avoid crash due to curr->next corruption


 v1.42 (2012-04-05)
--- a/extensions/xt_psd.c
+++ b/extensions/xt_psd.c
@@ -227,7 +227,7 @@ xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match)
 				goto out_match;

 			/* Remember the new port */
-			if (curr->count < SCAN_MAX_COUNT) {
+			if (curr->count < ARRAY_SIZE(curr->ports)) {
 				curr->ports[curr->count].number = dest_port;
 				curr->ports[curr->count].proto = proto;
 				curr->ports[curr->count].and_flags = tcp_flags;