target/linux/generic/patches-4.9/612-netfilter_match_reduce_memory_access.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14

--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -61,9 +61,9 @@ ip_packet_match(const struct iphdr *ip,
 	if (ipinfo->flags & IPT_F_NO_DEF_MATCH)
 		return true;
 
-	if (NF_INVF(ipinfo, IPT_INV_SRCIP,
+	if (NF_INVF(ipinfo, IPT_INV_SRCIP, ipinfo->smsk.s_addr &&
 		    (ip->saddr & ipinfo->smsk.s_addr) != ipinfo->src.s_addr) ||
-	    NF_INVF(ipinfo, IPT_INV_DSTIP,
+	    NF_INVF(ipinfo, IPT_INV_DSTIP, ipinfo->dmsk.s_addr &&
 		    (ip->daddr & ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr))
 		return false;