netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check() (1a38956c) · Commits · e / devices / android_kernel_fairphone_FP5

net/ipv4/netfilter/ipt_CLUSTERIP.c

+13 −3

Original line number	Diff line number	Diff line
		@@ -431,7 +431,7 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par)
		struct ipt_clusterip_tgt_info *cipinfo = par->targinfo;
		const struct ipt_entry *e = par->entryinfo;
		struct clusterip_config *config;
		int ret;
		int ret, i;

		if (par->nft_compat) {
		pr_err("cannot use CLUSTERIP target from nftables compat\n");
		@@ -450,8 +450,18 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par)
		pr_info("Please specify destination IP\n");
		return -EINVAL;
		}

		/* FIXME: further sanity checks */
		if (cipinfo->num_local_nodes > ARRAY_SIZE(cipinfo->local_nodes)) {
		pr_info("bad num_local_nodes %u\n", cipinfo->num_local_nodes);
		return -EINVAL;
		}
		for (i = 0; i < cipinfo->num_local_nodes; i++) {
		if (cipinfo->local_nodes[i] - 1 >=
		sizeof(config->local_nodes) * 8) {
		pr_info("bad local_nodes[%d] %u\n",
		i, cipinfo->local_nodes[i]);
		return -EINVAL;
		}
		}

		config = clusterip_config_find_get(par->net, e->ip.dst.s_addr, 1);
		if (!config) {