[PATCH] ext4 balloc: fix off-by-one against grp_goal

[linux-2.6-omap-h63xx.git] / net / ipv4 / netfilter / arp_tables.c
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c

index 8d1d7a6e72a563149c253d52c292f259b7e87884..413c2d0a1f3dee117db48289865279113f70e348 100644 (file)
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -56,8 +56,6 @@ do {                                                          \
  #define ARP_NF_ASSERT(x)
  #endif
  
-#include <linux/netfilter_ipv4/listhelp.h>
-
  static inline int arp_devaddr_compare(const struct arpt_devaddr_info *ap,
                                       char *hdr_addr, int len)
  {
@@ -82,7 +80,7 @@ static inline int arp_packet_match(const struct arphdr *arphdr,
  {
         char *arpptr = (char *)(arphdr + 1);
         char *src_devaddr, *tgt_devaddr;
-       u32 src_ipaddr, tgt_ipaddr;
+       __be32 src_ipaddr, tgt_ipaddr;
         int i, ret;
  
  #define FWINV(bool,invflg) ((bool) ^ !!(arpinfo->invflags & invflg))
@@ -208,8 +206,7 @@ static unsigned int arpt_error(struct sk_buff **pskb,
                                const struct net_device *out,
                                unsigned int hooknum,
                                const struct xt_target *target,
-                              const void *targinfo,
-                              void *userinfo)
+                              const void *targinfo)
  {
         if (net_ratelimit())
                 printk("arp_tables: error: '%s'\n", (char *)targinfo);
@@ -226,8 +223,7 @@ unsigned int arpt_do_table(struct sk_buff **pskb,
                            unsigned int hook,
                            const struct net_device *in,
                            const struct net_device *out,
-                          struct arpt_table *table,
-                          void *userdata)
+                          struct arpt_table *table)
  {
         static const char nulldevname[IFNAMSIZ];
         unsigned int verdict = NF_DROP;
@@ -302,8 +298,7 @@ unsigned int arpt_do_table(struct sk_buff **pskb,
                                                                      in, out,
                                                                      hook,
                                                                      t->u.kernel.target,
-                                                                    t->data,
-                                                                    userdata);
+                                                                    t->data);
  
                                 /* Target might have changed stuff. */
                                 arp = (*pskb)->nh.arph;
@@ -471,7 +466,13 @@ static inline int check_entry(struct arpt_entry *e, const char *name, unsigned i
                 return -EINVAL;
         }
  
+       if (e->target_offset + sizeof(struct arpt_entry_target) > e->next_offset)
+               return -EINVAL;
+
         t = arpt_get_target(e);
+       if (e->target_offset + t->u.target_size > e->next_offset)
+               return -EINVAL;
+
         target = try_then_request_module(xt_find_target(NF_ARP, t->u.user.name,
                                                         t->u.user.revision),
                                          "arpt_%s", t->u.user.name);
@@ -490,12 +491,10 @@ static inline int check_entry(struct arpt_entry *e, const char *name, unsigned i
         if (t->u.kernel.target == &arpt_standard_target) {
                 if (!standard_check(t, size)) {
                         ret = -EINVAL;
-                       goto out;
+                       goto err;
                 }
         } else if (t->u.kernel.target->checkentry
                    && !t->u.kernel.target->checkentry(name, e, target, t->data,
-                                                     t->u.target_size
-                                                     - sizeof(*t),
                                                       e->comefrom)) {
                 duprintf("arp_tables: check failed for `%s'.\n",
                          t->u.kernel.target->name);
@@ -562,8 +561,7 @@ static inline int cleanup_entry(struct arpt_entry *e, unsigned int *i)
  
         t = arpt_get_target(e);
         if (t->u.kernel.target->destroy)
-               t->u.kernel.target->destroy(t->u.kernel.target, t->data,
-                                           t->u.target_size - sizeof(*t));
+               t->u.kernel.target->destroy(t->u.kernel.target, t->data);
         module_put(t->u.kernel.target->me);
         return 0;
  }
@@ -629,20 +627,18 @@ static int translate_table(const char *name,
                 }
         }
  
-       if (!mark_source_chains(newinfo, valid_hooks, entry0)) {
-               duprintf("Looping hook\n");
-               return -ELOOP;
-       }
-
         /* Finally, each sanity check must pass */
         i = 0;
         ret = ARPT_ENTRY_ITERATE(entry0, newinfo->size,
                                  check_entry, name, size, &i);
  
-       if (ret != 0) {
-               ARPT_ENTRY_ITERATE(entry0, newinfo->size,
-                                  cleanup_entry, &i);
-               return ret;
+       if (ret != 0)
+               goto cleanup;
+
+       ret = -ELOOP;
+       if (!mark_source_chains(newinfo, valid_hooks, entry0)) {
+               duprintf("Looping hook\n");
+               goto cleanup;
         }
  
         /* And one copy for every other CPU */
@@ -651,6 +647,9 @@ static int translate_table(const char *name,
                         memcpy(newinfo->entries[i], entry0, newinfo->size);
         }
  
+       return 0;
+cleanup:
+       ARPT_ENTRY_ITERATE(entry0, newinfo->size, cleanup_entry, &i);
         return ret;
  }
  
@@ -1204,6 +1203,8 @@ err1:
  static void __exit arp_tables_fini(void)
  {
         nf_unregister_sockopt(&arpt_sockopts);
+       xt_unregister_target(&arpt_error_target);
+       xt_unregister_target(&arpt_standard_target);
         xt_proto_fini(NF_ARP);
  }