]> err.no Git - linux-2.6/commitdiff
[NETFILTER]: nf_conntrack: Fix missing check for ICMPv6 type
authorYasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Mon, 5 Dec 2005 21:32:50 +0000 (13:32 -0800)
committerDavid S. Miller <davem@davemloft.net>
Mon, 5 Dec 2005 21:32:50 +0000 (13:32 -0800)
This makes nf_conntrack_icmpv6 check that ICMPv6 type isn't < 128
to avoid accessing out of array valid_new[] and invmap[].

Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c

index c0f1da5497a9cdb71e5b51d47c84f8ce8af2ddb5..a7e03cfacd06fc35b8b480cd3d04ac1210771fb0 100644 (file)
@@ -68,8 +68,8 @@ static int icmpv6_invert_tuple(struct nf_conntrack_tuple *tuple,
                [ICMPV6_NI_REPLY - 128]         = ICMPV6_NI_REPLY +1
        };
 
-       __u8 type = orig->dst.u.icmp.type - 128;
-       if (type >= sizeof(invmap) || !invmap[type])
+       int type = orig->dst.u.icmp.type - 128;
+       if (type < 0 || type >= sizeof(invmap) || !invmap[type])
                return 0;
 
        tuple->src.u.icmp.id   = orig->src.u.icmp.id;
@@ -129,12 +129,12 @@ static int icmpv6_new(struct nf_conn *conntrack,
                [ICMPV6_ECHO_REQUEST - 128] = 1,
                [ICMPV6_NI_QUERY - 128] = 1
        };
+       int type = conntrack->tuplehash[0].tuple.dst.u.icmp.type - 128;
 
-       if (conntrack->tuplehash[0].tuple.dst.u.icmp.type - 128 >= sizeof(valid_new)
-           || !valid_new[conntrack->tuplehash[0].tuple.dst.u.icmp.type - 128]) {
+       if (type < 0 || type >= sizeof(valid_new) || !valid_new[type]) {
                /* Can't create a new ICMPv6 `conn' with this. */
-               DEBUGP("icmp: can't create new conn with type %u\n",
-                      conntrack->tuplehash[0].tuple.dst.u.icmp.type);
+               DEBUGP("icmpv6: can't create new conn with type %u\n",
+                      type + 128);
                NF_CT_DUMP_TUPLE(&conntrack->tuplehash[0].tuple);
                return 0;
        }