git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Ren Wei <n05ec@lzu.edu.cn>
	Fri, 3 Apr 2026 15:52:52 +0000 (23:52 +0800)
committer	Florian Westphal <fw@strlen.de>
	Wed, 8 Apr 2026 11:33:38 +0000 (13:33 +0200)
commit	ff64c5bfef12461df8450e0f50bb693b5269c720
tree	d14ebe5f87aba90d0f28b5081897e3051fce9d8a	tree \| snapshot
parent	1f3083aec8836213da441270cdb1ab612dd82cf4	commit \| diff

netfilter: xt_multiport: validate range encoding in checkentry

ports_match_v1() treats any non-zero pflags entry as the start of a
port range and unconditionally consumes the next ports[] element as
the range end.

The checkentry path currently validates protocol, flags and count, but
it does not validate the range encoding itself. As a result, malformed
rules can mark the last slot as a range start or place two range starts
back to back, leaving ports_match_v1() to step past the last valid
ports[] element while interpreting the rule.

Reject malformed multiport v1 rules in checkentry by validating that
each range start has a following element and that the following element
is not itself marked as another range start.

Fixes: a89ecb6a2ef7 ("[NETFILTER]: x_tables: unify IPv4/IPv6 multiport match")
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Yuhang Zheng <z1652074432@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Florian Westphal <fw@strlen.de>