netfilter: ip6t_eui: fix read outside array bounds

Use memcmp() instead of open coded comparison that reads one byte past
the intended end.

Based on patch from Roel Kluin <roel.kluin@gmail.com>

Signed-off-by: Patrick McHardy <kaber@trash.net>
This commit is contained in:
Patrick McHardy 2009-08-31 15:30:31 +02:00
parent ee254fa44d
commit 4889086969

View File

@ -23,7 +23,6 @@ static bool
eui64_mt6(const struct sk_buff *skb, const struct xt_match_param *par) eui64_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
{ {
unsigned char eui64[8]; unsigned char eui64[8];
int i = 0;
if (!(skb_mac_header(skb) >= skb->head && if (!(skb_mac_header(skb) >= skb->head &&
skb_mac_header(skb) + ETH_HLEN <= skb->data) && skb_mac_header(skb) + ETH_HLEN <= skb->data) &&
@ -42,12 +41,8 @@ eui64_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
eui64[4] = 0xfe; eui64[4] = 0xfe;
eui64[0] ^= 0x02; eui64[0] ^= 0x02;
i = 0; if (!memcmp(ipv6_hdr(skb)->saddr.s6_addr + 8, eui64,
while (ipv6_hdr(skb)->saddr.s6_addr[8 + i] == eui64[i] sizeof(eui64)))
&& i < 8)
i++;
if (i == 8)
return true; return true;
} }
} }