Commit 9d3f0273 authored Mar 25, 2026 by Ren Wei Committed by Pablo Neira Ayuso Mar 26, 2026

netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()



Reject rt match rules whose addrnr exceeds IP6T_RT_HOPS.

rt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[].
Validate addrnr during rule installation so malformed rules are rejected
before the match logic can use an out-of-range value.

Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Yuhang Zheng <z1652074432@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent 52025eba

net/ipv6/netfilter/ip6t_rt.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -157,6 +157,10 @@ static int rt_mt6_check(const struct xt_mtchk_param *par)
		pr_debug("unknown flags %X\n", rtinfo->invflags);
		return -EINVAL;
		}
		if (rtinfo->addrnr > IP6T_RT_HOPS) {
		pr_debug("too many addresses specified\n");
		return -EINVAL;
		}
		if ((rtinfo->flags & (IP6T_RT_RES \| IP6T_RT_FST_MASK)) &&
		(!(rtinfo->flags & IP6T_RT_TYP) \|\|
		(rtinfo->rt_type != 0) \|\|