curr->ports[] is of size SCAN_MAX_COUNT - 1, so under certain
conditions we wrote past end of array, corrupting ->next pointer
of the adjacent host entry.
Reported-and-tested-by: Serge Leschinsky <serge.leschinsky@xxxxxxxxx>
---
extensions/xt_psd.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/extensions/xt_psd.c b/extensions/xt_psd.c
index 46b2831..acb5e8e 100644
--- a/extensions/xt_psd.c
+++ b/extensions/xt_psd.c
@@ -227,7 +227,7 @@ xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match)
goto out_match;
/* Remember the new port */
- if (curr->count < SCAN_MAX_COUNT) {
+ if (curr->count < ARRAY_SIZE(curr->ports)) {
curr->ports[curr->count].number = dest_port;
curr->ports[curr->count].proto = proto;
curr->ports[curr->count].and_flags = tcp_flags;
--
1.7.3.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
