From: Thomas Graf <tgraf@redhat.com> Date: Thu, 9 Apr 2009 15:24:01 +0200 Subject: [net] fix out of bound access to hook_entries Message-id: 20090409132401.GA13651@plip.localdomain O-Subject: [RHEL5.4 PATCH] net: fix out of bound access to hook_entries (bz484036) Bugzilla: 484036 RH-Acked-by: David Miller <davem@redhat.com> Hey all - This patch fixes a out of bound access to hook_entries[] when configuring ebtables rules. Patch tested and verified by the customer. Fixes BZ484036. Please ACK diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 3a13ed6..940b218 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -450,8 +450,9 @@ ebt_check_entry_size_and_hooks(struct ebt_entry *e, return -EINVAL; } /* before we look at the struct, be sure it is not too big */ - if ((char *)hook_entries[i] + sizeof(struct ebt_entries) - > limit) { + if (i < NF_BR_NUMHOOKS && + (char *)hook_entries[i] + sizeof(struct ebt_entries) + > limit) { BUGPRINT("entries_size too small\n"); return -EINVAL; }