netfilter: nftables: exthdr: fix 4-byte stack OOB write

commit fd94d9da upstream.

If priv->len is a multiple of 4, then dst[len / 4] can write past
the destination array which leads to stack corruption.

This construct is necessary to clean the remainder of the register
in case ->len is NOT a multiple of the register size, so make it
conditional just like nft_payload.c does.

The bug was added in 4.1 cycle and then copied/inherited when
tcp/sctp and ip option support was added.

Bug reported by Zero Day Initiative project (ZDI-CAN-21950,
ZDI-CAN-21951, ZDI-CAN-21961).

Fixes: 49499c3e ("netfilter: nf_tables: switch registers to 32 bit addressing")
Fixes: 935b7f64 ("netfilter: nft_exthdr: add TCP option matching")
Fixes: 133dc203 ("netfilter: nft_exthdr: Support SCTP chunks")
Fixes: dbb5281a

 ("netfilter: nf_tables: add support for matching IPv4 options")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>