diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 1af54119bafc7cde8e8f2a3757e56411014440fb..f272f9538c44a25c7d79346cb5aa08291ecf01ed 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -1496,7 +1496,7 @@ static int nft_chain_parse_hook(struct net *net, if (IS_ERR(type)) return PTR_ERR(type); } - if (!(type->hook_mask & (1 << hook->num))) + if (hook->num > NF_MAX_HOOKS || !(type->hook_mask & (1 << hook->num))) return -EOPNOTSUPP; if (type->type == NFT_CHAIN_T_NAT &&