Merge "nf: xt_socket: Fix out-of-bounds in xt_socket_lookup_slow_v{4,6}"

author: Linux Build Service Account <lnxbuild@localhost> 2018-03-28 15:28:09 -0700
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2018-03-28 15:28:08 -0700
commit: 9896df099ca71093fce1625b705c79986416649a (patch)
tree: aec1e49e2840da7f8357ad93a20279740592f644
parent: c638be9b40b7e2698fcc2bda3031c3556601351f (diff)
parent: b116697fb51e36789339faf2ea19a9cb80e0f82b (diff)
1 files changed, 9 insertions, 4 deletions
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index ede54061c554..939821821fcb 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -158,10 +158,13 @@ struct sock *xt_socket_lookup_slow_v4(struct net *net,
 #endif
 
 	if (iph->protocol == IPPROTO_UDP || iph->protocol == IPPROTO_TCP) {
-		struct udphdr _hdr, *hp;
+		struct udphdr *hp;
+		struct tcphdr _hdr;
 
 		hp = skb_header_pointer(skb, ip_hdrlen(skb),
-					sizeof(_hdr), &_hdr);
+					iph->protocol == IPPROTO_UDP ?
+					sizeof(*hp) : sizeof(_hdr),
+					&_hdr);
 		if (hp == NULL)
 			return NULL;
 
@@ -360,9 +363,11 @@ struct sock *xt_socket_lookup_slow_v6(struct net *net,
 	}
 
 	if (tproto == IPPROTO_UDP || tproto == IPPROTO_TCP) {
-		struct udphdr _hdr, *hp;
+		struct udphdr *hp;
+		struct tcphdr _hdr;
 
-		hp = skb_header_pointer(skb, thoff, sizeof(_hdr), &_hdr);
+		hp = skb_header_pointer(skb, thoff, tproto == IPPROTO_UDP ?
+					sizeof(*hp) : sizeof(_hdr), &_hdr);
 		if (hp == NULL)
 			return NULL;
author	Linux Build Service Account <lnxbuild@localhost>	2018-03-28 15:28:09 -0700
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2018-03-28 15:28:08 -0700
commit	9896df099ca71093fce1625b705c79986416649a (patch)
tree	aec1e49e2840da7f8357ad93a20279740592f644
parent	c638be9b40b7e2698fcc2bda3031c3556601351f (diff)
parent	b116697fb51e36789339faf2ea19a9cb80e0f82b (diff)