diff options
| author | Chuck Ebbert <76306.1226@compuserve.com> | 2007-01-08 07:11:50 +0100 |
|---|---|---|
| committer | Adrian Bunk <bunk@stusta.de> | 2007-01-09 03:23:34 +0100 |
| commit | 028f0b0041f1bbd0a4f5cd1c4db452b276382115 (patch) | |
| tree | 8e497195af3c1910d9a097fcc968c352ce4b44f9 /net/bridge | |
| parent | 55f645946c66b354a52d30b512f1af73c61dfb60 (diff) | |
ebtables: check struct type before computing gap
Check struct type before dereferencing fields in ebt_entry.
Failure to check can cause oops.
Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Diffstat (limited to 'net/bridge')
| -rw-r--r-- | net/bridge/netfilter/ebtables.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 8171fea2848..558df47e245 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -596,7 +596,7 @@ ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo, struct ebt_entry_target *t; struct ebt_target *target; unsigned int i, j, hook = 0, hookmask = 0; - size_t gap = e->next_offset - e->target_offset; + size_t gap; int ret; /* don't mess with the struct ebt_entries */ @@ -646,6 +646,7 @@ ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo, if (ret != 0) goto cleanup_watchers; t = (struct ebt_entry_target *)(((char *)e) + e->target_offset); + gap = e->next_offset - e->target_offset; target = find_target_lock(t->u.name, &ret, &ebt_mutex); if (!target) goto cleanup_watchers; |