netfilter: ip6t_srh: fix NULL pointer dereferences
skb_header_pointer may return NULL. The current code dereference
its return values without a NULL check.
The fix inserts the checks to avoid NULL pointer dereferences.
Fixes: 202a8ff545
("netfilter: add IPv6 segment routing header 'srh' match")
Signed-off-by: Kangjie Lu <kjlu@umn.edu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
d1fa381033
commit
6d65561f3d
|
@ -210,6 +210,8 @@ static bool srh1_mt6(const struct sk_buff *skb, struct xt_action_param *par)
|
|||
psidoff = srhoff + sizeof(struct ipv6_sr_hdr) +
|
||||
((srh->segments_left + 1) * sizeof(struct in6_addr));
|
||||
psid = skb_header_pointer(skb, psidoff, sizeof(_psid), &_psid);
|
||||
if (!psid)
|
||||
return false;
|
||||
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_PSID,
|
||||
ipv6_masked_addr_cmp(psid, &srhinfo->psid_msk,
|
||||
&srhinfo->psid_addr)))
|
||||
|
@ -223,6 +225,8 @@ static bool srh1_mt6(const struct sk_buff *skb, struct xt_action_param *par)
|
|||
nsidoff = srhoff + sizeof(struct ipv6_sr_hdr) +
|
||||
((srh->segments_left - 1) * sizeof(struct in6_addr));
|
||||
nsid = skb_header_pointer(skb, nsidoff, sizeof(_nsid), &_nsid);
|
||||
if (!nsid)
|
||||
return false;
|
||||
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_NSID,
|
||||
ipv6_masked_addr_cmp(nsid, &srhinfo->nsid_msk,
|
||||
&srhinfo->nsid_addr)))
|
||||
|
@ -233,6 +237,8 @@ static bool srh1_mt6(const struct sk_buff *skb, struct xt_action_param *par)
|
|||
if (srhinfo->mt_flags & IP6T_SRH_LSID) {
|
||||
lsidoff = srhoff + sizeof(struct ipv6_sr_hdr);
|
||||
lsid = skb_header_pointer(skb, lsidoff, sizeof(_lsid), &_lsid);
|
||||
if (!lsid)
|
||||
return false;
|
||||
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_LSID,
|
||||
ipv6_masked_addr_cmp(lsid, &srhinfo->lsid_msk,
|
||||
&srhinfo->lsid_addr)))
|
||||
|
|
Loading…
Reference in New Issue