Check that the array hooks are not accessed out-of-bounds. Next patch will then reduce their sizes to reflect the number of hooks implemented for each family. Signed-off-by: Florian Westphal <fw@xxxxxxxxx> --- include/linux/netfilter.h | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h index 80aa9a0b3d10..2e9896d42f96 100644 --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h @@ -197,18 +197,23 @@ static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net, rcu_read_lock(); switch (pf) { case NFPROTO_IPV4: + BUILD_BUG_ON(hook >= ARRAY_SIZE(net->nf.hooks_ipv4)); hook_head = rcu_dereference(net->nf.hooks_ipv4[hook]); break; case NFPROTO_IPV6: + BUILD_BUG_ON(hook >= ARRAY_SIZE(net->nf.hooks_ipv6)); hook_head = rcu_dereference(net->nf.hooks_ipv6[hook]); break; case NFPROTO_ARP: + BUILD_BUG_ON(hook >= ARRAY_SIZE(net->nf.hooks_arp)); hook_head = rcu_dereference(net->nf.hooks_arp[hook]); break; case NFPROTO_BRIDGE: + BUILD_BUG_ON(hook >= ARRAY_SIZE(net->nf.hooks_bridge)); hook_head = rcu_dereference(net->nf.hooks_bridge[hook]); break; case NFPROTO_DECNET: + BUILD_BUG_ON(hook >= ARRAY_SIZE(net->nf.hooks_decnet)); hook_head = rcu_dereference(net->nf.hooks_decnet[hook]); break; default: -- 2.13.6 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html