xtables: Don't read garbage in nft_ipv4_parse_payload()

The problem here is that get_frag() does not set 'inv' in any case, so
when later checking its value, garbage may be read. Sanitize this case
by setting 'inv' to false before calling get_frag().

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 20ed9428425dda6d52151035476780bf895f0d8e..39e6184489554c4fdbf9117a22780e4fc42d5384 100644 (file)
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -234,6 +234,7 @@ static void nft_ipv4_parse_payload(struct nft_xt_ctx *ctx,
                break;
        case offsetof(struct iphdr, frag_off):
                cs->fw.ip.flags |= IPT_F_FRAG;
+               inv = false;
                get_frag(ctx, e, &inv);
                if (inv)
                        cs->fw.ip.invflags |= IPT_INV_FRAG;