target/linux/generic/pending-4.9/612-netfilter_match_reduce_memory_access.patch

   1 From: Felix Fietkau <nbd@nbd.name>
   2 Subject: netfilter: reduce match memory access
   3
   4 Signed-off-by: Felix Fietkau <nbd@nbd.name>
   5 ---
   6  net/ipv4/netfilter/ip_tables.c | 4 ++--
   7  1 file changed, 2 insertions(+), 2 deletions(-)
   8
   9 diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
  10 index 9178930fca17..35d1db7b78f1 100644
  11 --- a/net/ipv4/netfilter/ip_tables.c
  12 +++ b/net/ipv4/netfilter/ip_tables.c
  13 @@ -61,9 +61,9 @@ ip_packet_match(const struct iphdr *ip,
  14         if (ipinfo->flags & IPT_F_NO_DEF_MATCH)
  15                 return true;
  16
  17 -       if (NF_INVF(ipinfo, IPT_INV_SRCIP,
  18 +       if (NF_INVF(ipinfo, IPT_INV_SRCIP, ipinfo->smsk.s_addr &&
  19                     (ip->saddr & ipinfo->smsk.s_addr) != ipinfo->src.s_addr) ||
  20 -           NF_INVF(ipinfo, IPT_INV_DSTIP,
  21 +           NF_INVF(ipinfo, IPT_INV_DSTIP, ipinfo->dmsk.s_addr &&
  22                     (ip->daddr & ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr))
  23                 return false;
  24
  25 --
  26 2.11.0
  27