From: Tobias Brunner <tobias@xxxxxxxxxxxxxx>
This is useful as it prevents that the nodes handle any packets until
they are assigned their responsibilities (e.g. by a HA daemon).
Fixes: 1a38956cce5e ("netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check()").
Signed-off-by: Tobias Brunner <tobias@xxxxxxxxxxxxxx>
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index f302c8e0b2e5..d7bfaf7184ce 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -537,7 +537,8 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par)
return -EINVAL;
}
for (i = 0; i < cipinfo->num_local_nodes; i++) {
- if (cipinfo->local_nodes[i] - 1 >=
+ if (cipinfo->local_nodes[i] != 0 &&
+ cipinfo->local_nodes[i] - 1 >=
sizeof(config->local_nodes) * 8) {
pr_info("bad local_nodes[%d] %u\n",
i, cipinfo->local_nodes[i]);
--
2.7.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
