netfilter: ebtables: abort if next_offset is too small

next_offset must be > 0, otherwise this loops forever. The offset also contains the size of the ebt_entry structure itself, so anything smaller is invalid. Signed-off-by: N Florian Westphal <fwestphal@astaro.com> Signed-off-by: N Patrick McHardy <kaber@trash.net>

netfilter: ebtables: abort if next_offset is too small
next_offset must be > 0, otherwise this loops forever. The offset also contains the size of the ebt_entry structure itself, so anything smaller is invalid. Signed-off-by: N Florian Westphal <fwestphal@astaro.com> Signed-off-by: N Patrick McHardy <kaber@trash.net>
1756de26 · Florian Westphal · Patrick McHardy · ef00f89f · 1756de26
隐藏空白更改
内联并排

Showing with 2 addition and 0 deletion

net/bridge/netfilter/ebtables.c net/bridge/netfilter/ebtables.c +2 -0

未找到文件。
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -444,6 +444,8 @@ static int ebt_verify_pointers(const struct ebt_replace *repl,
 				break;
 			if (left < e->next_offset)
 				break;
+			if (e->next_offset < sizeof(struct ebt_entry))
+				return -EINVAL;
 			offset += e->next_offset;
 		}
 	}