diff options
author | Patrick McHardy <kaber@trash.net> | 2009-08-31 15:30:31 +0200 |
---|---|---|
committer | Patrick McHardy <kaber@trash.net> | 2009-08-31 15:30:31 +0200 |
commit | 488908696971c5ea1dcc5d13f29c158ba4f6ae7d (patch) | |
tree | e457b2e6bd0f6d91e894bf2936c8cca9e3b4ed3c /net | |
parent | ee254fa44d902ab89fd0d66851701098f07872a7 (diff) | |
download | linux-stable-488908696971c5ea1dcc5d13f29c158ba4f6ae7d.tar.gz linux-stable-488908696971c5ea1dcc5d13f29c158ba4f6ae7d.tar.bz2 linux-stable-488908696971c5ea1dcc5d13f29c158ba4f6ae7d.zip |
netfilter: ip6t_eui: fix read outside array bounds
Use memcmp() instead of open coded comparison that reads one byte past
the intended end.
Based on patch from Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/ipv6/netfilter/ip6t_eui64.c | 9 |
1 files changed, 2 insertions, 7 deletions
diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c index db610bacbcce..ca287f6d2bce 100644 --- a/net/ipv6/netfilter/ip6t_eui64.c +++ b/net/ipv6/netfilter/ip6t_eui64.c @@ -23,7 +23,6 @@ static bool eui64_mt6(const struct sk_buff *skb, const struct xt_match_param *par) { unsigned char eui64[8]; - int i = 0; if (!(skb_mac_header(skb) >= skb->head && skb_mac_header(skb) + ETH_HLEN <= skb->data) && @@ -42,12 +41,8 @@ eui64_mt6(const struct sk_buff *skb, const struct xt_match_param *par) eui64[4] = 0xfe; eui64[0] ^= 0x02; - i = 0; - while (ipv6_hdr(skb)->saddr.s6_addr[8 + i] == eui64[i] - && i < 8) - i++; - - if (i == 8) + if (!memcmp(ipv6_hdr(skb)->saddr.s6_addr + 8, eui64, + sizeof(eui64))) return true; } } |