netfilter: ip6t_eui: fix read outside array bounds
Use memcmp() instead of open coded comparison that reads one byte past the intended end. Based on patch from Roel Kluin <roel.kluin@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
This commit is contained in:
parent
ee254fa44d
commit
4889086969
@ -23,7 +23,6 @@ static bool
|
|||||||
eui64_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
|
eui64_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
{
|
{
|
||||||
unsigned char eui64[8];
|
unsigned char eui64[8];
|
||||||
int i = 0;
|
|
||||||
|
|
||||||
if (!(skb_mac_header(skb) >= skb->head &&
|
if (!(skb_mac_header(skb) >= skb->head &&
|
||||||
skb_mac_header(skb) + ETH_HLEN <= skb->data) &&
|
skb_mac_header(skb) + ETH_HLEN <= skb->data) &&
|
||||||
@ -42,12 +41,8 @@ eui64_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
|
|||||||
eui64[4] = 0xfe;
|
eui64[4] = 0xfe;
|
||||||
eui64[0] ^= 0x02;
|
eui64[0] ^= 0x02;
|
||||||
|
|
||||||
i = 0;
|
if (!memcmp(ipv6_hdr(skb)->saddr.s6_addr + 8, eui64,
|
||||||
while (ipv6_hdr(skb)->saddr.s6_addr[8 + i] == eui64[i]
|
sizeof(eui64)))
|
||||||
&& i < 8)
|
|
||||||
i++;
|
|
||||||
|
|
||||||
if (i == 8)
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user