Check that the array hooks are not accessed out-of-bounds.
Next patch will then reduce their sizes to reflect the number
of hooks implemented for each family.
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
include/linux/netfilter.h | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 80aa9a0b3d10..2e9896d42f96 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -197,18 +197,23 @@ static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net,
rcu_read_lock();
switch (pf) {
case NFPROTO_IPV4:
+ BUILD_BUG_ON(hook >= ARRAY_SIZE(net->nf.hooks_ipv4));
hook_head = rcu_dereference(net->nf.hooks_ipv4[hook]);
break;
case NFPROTO_IPV6:
+ BUILD_BUG_ON(hook >= ARRAY_SIZE(net->nf.hooks_ipv6));
hook_head = rcu_dereference(net->nf.hooks_ipv6[hook]);
break;
case NFPROTO_ARP:
+ BUILD_BUG_ON(hook >= ARRAY_SIZE(net->nf.hooks_arp));
hook_head = rcu_dereference(net->nf.hooks_arp[hook]);
break;
case NFPROTO_BRIDGE:
+ BUILD_BUG_ON(hook >= ARRAY_SIZE(net->nf.hooks_bridge));
hook_head = rcu_dereference(net->nf.hooks_bridge[hook]);
break;
case NFPROTO_DECNET:
+ BUILD_BUG_ON(hook >= ARRAY_SIZE(net->nf.hooks_decnet));
hook_head = rcu_dereference(net->nf.hooks_decnet[hook]);
break;
default:
--
2.13.6
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
