On Tue, Mar 22, 2016 at 06:02:52PM +0100, Florian Westphal wrote: > Ben Hawkes says: > > In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it > is possible for a user-supplied ipt_entry structure to have a large > next_offset field. This field is not bounds checked prior to writing a > counter value at the supplied offset. > > Problem is that mark_source_chains should not have been called -- > the rule doesn't have a next entry, so its supposed to return > an absolute verdict of either ACCEPT or DROP. > > However, the function conditional() doesn't work as the name implies. > It only checks that the rule is using wildcard address matching. > > However, an unconditional rule must also not be using any matches > (no -m args). > > The underflow validator only checked the addresses, therefore > passing the 'unconditional absolute verdict' test, while > mark_source_chains also tested for presence of matches, and thus > proceeeded to the next (not-existent) rule. > > Unify this so that all the callers have same idea of 'unconditional rule'. Applied, thanks Florian. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
