!1445 netfilter: nf_tables: prevent OOB access in nft_byteorder_eval (0ceaf921) · Commits · EulixOS / Software / Kernel

net/netfilter/nft_byteorder.c

+7 −7

Original line number	Diff line number	Diff line
		@@ -30,11 +30,11 @@ void nft_byteorder_eval(const struct nft_expr *expr,
		const struct nft_byteorder *priv = nft_expr_priv(expr);
		u32 *src = &regs->data[priv->sreg];
		u32 *dst = &regs->data[priv->dreg];
		union { u32 u32; u16 u16; } s, d;
		u16 s16, d16;
		unsigned int i;

		s = (void *)src;
		d = (void *)dst;
		s16 = (void *)src;
		d16 = (void *)dst;

		switch (priv->size) {
		case 8: {
		@@ -61,11 +61,11 @@ void nft_byteorder_eval(const struct nft_expr *expr,
		switch (priv->op) {
		case NFT_BYTEORDER_NTOH:
		for (i = 0; i < priv->len / 4; i++)
		d[i].u32 = ntohl((__force __be32)s[i].u32);
		dst[i] = ntohl((__force __be32)src[i]);
		break;
		case NFT_BYTEORDER_HTON:
		for (i = 0; i < priv->len / 4; i++)
		d[i].u32 = (__force __u32)htonl(s[i].u32);
		dst[i] = (__force __u32)htonl(src[i]);
		break;
		}
		break;
		@@ -73,11 +73,11 @@ void nft_byteorder_eval(const struct nft_expr *expr,
		switch (priv->op) {
		case NFT_BYTEORDER_NTOH:
		for (i = 0; i < priv->len / 2; i++)
		d[i].u16 = ntohs((__force __be16)s[i].u16);
		d16[i] = ntohs((__force __be16)s16[i]);
		break;
		case NFT_BYTEORDER_HTON:
		for (i = 0; i < priv->len / 2; i++)
		d[i].u16 = (__force __u16)htons(s[i].u16);
		d16[i] = (__force __u16)htons(s16[i]);
		break;
		}
		break;