summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2009-08-31 15:30:31 +0200
committerPatrick McHardy <kaber@trash.net>2009-08-31 15:30:31 +0200
commit488908696971c5ea1dcc5d13f29c158ba4f6ae7d (patch)
treee457b2e6bd0f6d91e894bf2936c8cca9e3b4ed3c
parentee254fa44d902ab89fd0d66851701098f07872a7 (diff)
downloadlinux-3.10-488908696971c5ea1dcc5d13f29c158ba4f6ae7d.tar.gz
linux-3.10-488908696971c5ea1dcc5d13f29c158ba4f6ae7d.tar.bz2
linux-3.10-488908696971c5ea1dcc5d13f29c158ba4f6ae7d.zip
netfilter: ip6t_eui: fix read outside array bounds
Use memcmp() instead of open coded comparison that reads one byte past the intended end. Based on patch from Roel Kluin <roel.kluin@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
-rw-r--r--net/ipv6/netfilter/ip6t_eui64.c9
1 files changed, 2 insertions, 7 deletions
diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c
index db610bacbcc..ca287f6d2bc 100644
--- a/net/ipv6/netfilter/ip6t_eui64.c
+++ b/net/ipv6/netfilter/ip6t_eui64.c
@@ -23,7 +23,6 @@ static bool
eui64_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
{
unsigned char eui64[8];
- int i = 0;
if (!(skb_mac_header(skb) >= skb->head &&
skb_mac_header(skb) + ETH_HLEN <= skb->data) &&
@@ -42,12 +41,8 @@ eui64_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
eui64[4] = 0xfe;
eui64[0] ^= 0x02;
- i = 0;
- while (ipv6_hdr(skb)->saddr.s6_addr[8 + i] == eui64[i]
- && i < 8)
- i++;
-
- if (i == 8)
+ if (!memcmp(ipv6_hdr(skb)->saddr.s6_addr + 8, eui64,
+ sizeof(eui64)))
return true;
}
}