Current sanity checks in xt_u32.c inhibit successful use of negative offets when the current position is near or at the end of a packet. The following patch changes the sanity checks to be a bit more flexible - values read from the packet and specified as @ offsets can be interpreted both as positive and negative. Signed-off-by: Michal Soltys <soltys@xxxxxxxx> --- net/netfilter/xt_u32.c | 8 ++------ 1 files changed, 2 insertions(+), 6 deletions(-) diff --git a/net/netfilter/xt_u32.c b/net/netfilter/xt_u32.c index 24a5276..bb3a63d 100644 --- a/net/netfilter/xt_u32.c +++ b/net/netfilter/xt_u32.c @@ -58,15 +58,11 @@ static bool u32_match_it(const struct xt_u32 *data, val >>= number; break; case XT_U32_AT: - if (at + val < at) - return false; at += val; - pos = number; - if (at + 4 < at || skb->len < at + 4 || - pos > skb->len - at - 4) + if (at + number + 4 < 4 || skb->len < at + number + 4) return false; - if (skb_copy_bits(skb, at + pos, &n, + if (skb_copy_bits(skb, at + number, &n, sizeof(n)) < 0) BUG(); val = ntohl(n); -- 1.6.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
