mirror of
https://git.openwrt.org/openwrt/openwrt.git
synced 2024-06-29 12:24:11 +02:00
2d02a4f5bd
Refresh patches. Adapt 704-phy-no-genphy-soft-reset.patch. Remove brcm2708/950-0005-mm-Remove-the-PFN-busy-warning.patch. Compile-tested on brcm2708/bcm2708 and x86/64. Runtime-tested on brcm2708/bcm2708 and x86/64. Fixes the following vulnerabilities: - CVE-2017-7533 - CVE-2017-1000111 - CVE-2017-1000112 Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
23 lines
759 B
Diff
23 lines
759 B
Diff
From: Felix Fietkau <nbd@nbd.name>
|
|
Subject: netfilter: reduce match memory access
|
|
|
|
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
---
|
|
net/ipv4/netfilter/ip_tables.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
--- a/net/ipv4/netfilter/ip_tables.c
|
|
+++ b/net/ipv4/netfilter/ip_tables.c
|
|
@@ -61,9 +61,9 @@ ip_packet_match(const struct iphdr *ip,
|
|
if (ipinfo->flags & IPT_F_NO_DEF_MATCH)
|
|
return true;
|
|
|
|
- if (NF_INVF(ipinfo, IPT_INV_SRCIP,
|
|
+ if (NF_INVF(ipinfo, IPT_INV_SRCIP, ipinfo->smsk.s_addr &&
|
|
(ip->saddr & ipinfo->smsk.s_addr) != ipinfo->src.s_addr) ||
|
|
- NF_INVF(ipinfo, IPT_INV_DSTIP,
|
|
+ NF_INVF(ipinfo, IPT_INV_DSTIP, ipinfo->dmsk.s_addr &&
|
|
(ip->daddr & ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr))
|
|
return false;
|
|
|