]> git.proxmox.com Git - mirror_ubuntu-kernels.git/commit
netfilter: bridge: check len before accessing more nh data
authorXin Long <lucien.xin@gmail.com>
Tue, 7 Mar 2023 21:31:28 +0000 (16:31 -0500)
committerFlorian Westphal <fw@strlen.de>
Wed, 8 Mar 2023 13:25:39 +0000 (14:25 +0100)
commita7f1a2f43e683c8ffca691d45f2cb32c052158fa
treef570b8a9651b8b56a17c8e1ad2cf0a15f703efb7
parent9ccff83b1322f95da7a74784cf6f47a481e03dc5
netfilter: bridge: check len before accessing more nh data

In the while loop of br_nf_check_hbh_len(), similar to ip6_parse_tlv(),
before accessing 'nh[off + 1]', it should add a check 'len < 2'; and
before parsing IPV6_TLV_JUMBO, it should add a check 'optlen > len',
in case of overflows.

Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Reviewed-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
net/bridge/br_netfilter_ipv6.c