diff options
| author | Xin Long <[email protected]> | 2021-10-12 08:18:13 -0400 |
|---|---|---|
| committer | Pablo Neira Ayuso <[email protected]> | 2021-10-14 23:08:35 +0200 |
| commit | a482c5e00a9b5a194085bcd372ac36141028becb (patch) | |
| tree | 7ca2d48dc5124057f5d15227ed44cc6ff361da30 /scripts/gdb/linux/timerlist.py | |
| parent | 465f15a6d1a8f51f7e09fba12678b39031f63ca9 (diff) | |
netfilter: ip6t_rt: fix rt0_hdr parsing in rt_mt6
In rt_mt6(), when it's a nonlinear skb, the 1st skb_header_pointer()
only copies sizeof(struct ipv6_rt_hdr) to _route that rh points to.
The access by ((const struct rt0_hdr *)rh)->reserved will overflow
the buffer. So this access should be moved below the 2nd call to
skb_header_pointer().
Besides, after the 2nd skb_header_pointer(), its return value should
also be checked, othersize, *rp may cause null-pointer-ref.
v1->v2:
- clean up some old debugging log.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Dan Carpenter <[email protected]>
Signed-off-by: Xin Long <[email protected]>
Acked-by: Florian Westphal <[email protected]>
Signed-off-by: Pablo Neira Ayuso <[email protected]>
Diffstat (limited to 'scripts/gdb/linux/timerlist.py')
0 files changed, 0 insertions, 0 deletions