Merge "netfilter: x_tables: make sure e->next_offset covers remaining blob size"

author: Linux Build Service Account <lnxbuild@localhost> 2016-09-30 18:23:30 -0700
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2016-09-30 18:23:29 -0700
commit: 4bfa2a9dfab97993336595867b11c83036632a2f (patch)
tree: b3803a6ec5a1c2df7e6b1e10e9fe16b5d8ffd7da /net/ipv6
parent: 61661c57563d8892691d5246cf34bdafd0c47ee3 (diff)
parent: f6bbb089fe2a94910c4c624d244ab10d64e57fd8 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 37e945cfa5da..45a967b5c4b9 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -754,7 +754,8 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
 	unsigned int h;
 
 	if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 ||
-	    (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
+	    (unsigned char *)e + sizeof(struct ip6t_entry) >= limit ||
+	    (unsigned char *)e + e->next_offset > limit) {
 		duprintf("Bad offset %p\n", e);
 		return -EINVAL;
 	}
@@ -1504,7 +1505,8 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
 
 	duprintf("check_compat_entry_size_and_hooks %p\n", e);
 	if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 ||
-	    (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit) {
+	    (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit ||
+	    (unsigned char *)e + e->next_offset > limit) {
 		duprintf("Bad offset %p, limit = %p\n", e, limit);
 		return -EINVAL;
 	}
author	Linux Build Service Account <lnxbuild@localhost>	2016-09-30 18:23:30 -0700
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2016-09-30 18:23:29 -0700
commit	4bfa2a9dfab97993336595867b11c83036632a2f (patch)
tree	b3803a6ec5a1c2df7e6b1e10e9fe16b5d8ffd7da /net/ipv6
parent	61661c57563d8892691d5246cf34bdafd0c47ee3 (diff)
parent	f6bbb089fe2a94910c4c624d244ab10d64e57fd8 (diff)