Commit 1756de26 authored Feb 15, 2010 by Florian Westphal Committed by Patrick McHardy Feb 15, 2010

netfilter: ebtables: abort if next_offset is too small



next_offset must be > 0, otherwise this loops forever.
The offset also contains the size of the ebt_entry structure
itself, so anything smaller is invalid.

Signed-off-by: Florian Westphal <fwestphal@astaro.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

parent ef00f89f

net/bridge/netfilter/ebtables.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -444,6 +444,8 @@ static int ebt_verify_pointers(const struct ebt_replace *repl,
		break;
		if (left < e->next_offset)
		break;
		if (e->next_offset < sizeof(struct ebt_entry))
		return -EINVAL;
		offset += e->next_offset;
		}
		}