diff options
author | Florian Westphal <fw@strlen.de> | 2015-04-14 16:44:14 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-04-24 20:51:23 +0200 |
commit | 4c4ed0748f82e26d8b884383e6737cf5a861ed6f (patch) | |
tree | da58cb09446a1c1fe9ef3d4e61b621f8d20a25f5 /net | |
parent | inet: fix possible panic in reqsk_queue_unlink() (diff) | |
download | linux-4c4ed0748f82e26d8b884383e6737cf5a861ed6f.tar.xz linux-4c4ed0748f82e26d8b884383e6737cf5a861ed6f.zip |
netfilter: nf_tables: fix wrong length for jump/goto verdicts
NFT_JUMP/GOTO erronously sets length to sizeof(void *).
We then allocate insufficient memory when such element is added to a vmap.
Suggested-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
-rw-r--r-- | net/netfilter/nf_tables_api.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 78af83bc9c8e..ad9d11fb29fd 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -4340,7 +4340,6 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, case NFT_CONTINUE: case NFT_BREAK: case NFT_RETURN: - desc->len = sizeof(data->verdict); break; case NFT_JUMP: case NFT_GOTO: @@ -4355,10 +4354,10 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, chain->use++; data->verdict.chain = chain; - desc->len = sizeof(data); break; } + desc->len = sizeof(data->verdict); desc->type = NFT_DATA_VERDICT; return 0; } |