From: Phil Sutter <phil@nwl.cc>
Date: Wed, 19 Sep 2018 13:17:06 +0000 (+0200)
Subject: xtables: Don't read garbage in nft_ipv4_parse_payload()
X-Git-Tag: v1.8.1~17
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=11e91a4875b443450dc08951efd6a595d3f5df2e;p=thirdparty%2Fiptables.git

xtables: Don't read garbage in nft_ipv4_parse_payload()

The problem here is that get_frag() does not set 'inv' in any case, so
when later checking its value, garbage may be read. Sanitize this case
by setting 'inv' to false before calling get_frag().

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---

diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 20ed9428..39e61844 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -234,6 +234,7 @@ static void nft_ipv4_parse_payload(struct nft_xt_ctx *ctx,
 		break;
 	case offsetof(struct iphdr, frag_off):
 		cs->fw.ip.flags |= IPT_F_FRAG;
+		inv = false;
 		get_frag(ctx, e, &inv);
 		if (inv)
 			cs->fw.ip.invflags |= IPT_INV_FRAG;