import PULS_20180308

[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / ipv4 / netfilter / arp_tables.c

diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index c8abe31961eda38c087a0057c53d678998ecc09a..e4717743316e39f88aeac5f32a97bae61b0e3439 100644 (file)
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -350,11 +350,12 @@ unsigned int arpt_do_table(struct sk_buff *skb,
 }
 
 /* All zeroes == unconditional rule. */
-static inline bool unconditional(const struct arpt_arp *arp)
+static inline bool unconditional(const struct arpt_entry *e)
 {
        static const struct arpt_arp uncond;
 
-       return memcmp(arp, &uncond, sizeof(uncond)) == 0;
+       return e->target_offset == sizeof(struct arpt_entry) &&
+               memcmp(&e->arp, &uncond, sizeof(uncond)) == 0;
 }
 
 /* Figures out from what hook each rule can be called: returns 0 if
@@ -393,11 +394,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
                                |= ((1 << hook) | (1 << NF_ARP_NUMHOOKS));
 
                        /* Unconditional return/END. */
-                       if ((e->target_offset == sizeof(struct arpt_entry) &&
+                       if ((unconditional(e) &&
                             (strcmp(t->target.u.user.name,
                                     XT_STANDARD_TARGET) == 0) &&
-                            t->verdict < 0 && unconditional(&e->arp)) ||
-                           visited) {
+                            t->verdict < 0) || visited) {
                                unsigned int oldpos, size;
 
                                if ((strcmp(t->target.u.user.name,
@@ -465,14 +465,12 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
        return 1;
 }
 
-static inline int check_entry(const struct arpt_entry *e, const char *name)
+static inline int check_entry(const struct arpt_entry *e)
 {
        const struct xt_entry_target *t;
 
-       if (!arp_checkentry(&e->arp)) {
-               duprintf("arp_tables: arp check failed %p %s.\n", e, name);
+       if (!arp_checkentry(&e->arp))
                return -EINVAL;
-       }
 
        if (e->target_offset + sizeof(struct xt_entry_target) > e->next_offset)
                return -EINVAL;
@@ -484,6 +482,7 @@ static inline int check_entry(const struct arpt_entry *e, const char *name)
        return 0;
 }
 
+
 static inline int check_target(struct arpt_entry *e, const char *name)
 {
        struct xt_entry_target *t = arpt_get_target(e);
@@ -513,10 +512,6 @@ find_check_entry(struct arpt_entry *e, const char *name, unsigned int size)
        struct xt_target *target;
        int ret;
 
-       ret = check_entry(e, name);
-       if (ret)
-               return ret;
-
        t = arpt_get_target(e);
        target = xt_request_find_target(NFPROTO_ARP, t->u.user.name,
                                        t->u.user.revision);
@@ -542,7 +537,7 @@ static bool check_underflow(const struct arpt_entry *e)
        const struct xt_entry_target *t;
        unsigned int verdict;
 
-       if (!unconditional(&e->arp))
+       if (!unconditional(e))
                return false;
        t = arpt_get_target_c(e);
        if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
@@ -561,9 +556,11 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
                                             unsigned int valid_hooks)
 {
        unsigned int h;
+       int err;
 
        if ((unsigned long)e % __alignof__(struct arpt_entry) != 0 ||
-           (unsigned char *)e + sizeof(struct arpt_entry) >= limit) {
+           (unsigned char *)e + sizeof(struct arpt_entry) >= limit ||
+           (unsigned char *)e + e->next_offset > limit) {
                duprintf("Bad offset %p\n", e);
                return -EINVAL;
        }
@@ -575,6 +572,10 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
                return -EINVAL;
        }
 
+       err = check_entry(e);
+       if (err)
+               return err;
+
        /* Check hooks & underflows */
        for (h = 0; h < NF_ARP_NUMHOOKS; h++) {
                if (!(valid_hooks & (1 << h)))
@@ -1219,7 +1220,8 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
 
        duprintf("check_compat_entry_size_and_hooks %p\n", e);
        if ((unsigned long)e % __alignof__(struct compat_arpt_entry) != 0 ||
-           (unsigned char *)e + sizeof(struct compat_arpt_entry) >= limit) {
+           (unsigned char *)e + sizeof(struct compat_arpt_entry) >= limit ||
+           (unsigned char *)e + e->next_offset > limit) {
                duprintf("Bad offset %p, limit = %p\n", e, limit);
                return -EINVAL;
        }
@@ -1232,7 +1234,7 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
        }
 
        /* For purposes of check_entry casting the compat entry is fine */
-       ret = check_entry((struct arpt_entry *)e, name);
+       ret = check_entry((struct arpt_entry *)e);
        if (ret)
                return ret;