From: Florian Westphal Date: Tue, 14 Apr 2015 14:44:14 +0000 (+0200) Subject: netfilter: nf_tables: fix wrong length for jump/goto verdicts X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=4c4ed0748f82e26d8b884383e6737cf5a861ed6f;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git netfilter: nf_tables: fix wrong length for jump/goto verdicts NFT_JUMP/GOTO erronously sets length to sizeof(void *). We then allocate insufficient memory when such element is added to a vmap. Suggested-by: Patrick McHardy Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 78af83bc9c8e..ad9d11fb29fd 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -4340,7 +4340,6 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, case NFT_CONTINUE: case NFT_BREAK: case NFT_RETURN: - desc->len = sizeof(data->verdict); break; case NFT_JUMP: case NFT_GOTO: @@ -4355,10 +4354,10 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, chain->use++; data->verdict.chain = chain; - desc->len = sizeof(data); break; } + desc->len = sizeof(data->verdict); desc->type = NFT_DATA_VERDICT; return 0; }