[PATCH] Kernel oops in ip6t_LOG.c:ip6_nexthdr
YOSHIFUJI Hideaki / 吉藤英明
yoshfuji at wide.ad.jp
Thu Aug 26 13:56:45 CEST 2004
In article <20040826113538.GE15409 at suse.de> (at Thu, 26 Aug 2004 13:35:39 +0200), Olaf Kirch <okir at suse.de> says:
> hdrlen = *hdrptr[1] * 8 + 8;
> ^^^^^^^^^^ it dies here
> *hdrptr = *hdrptr + hdrlen;
> break;
>
> hdrptr is a u_int8_t **. What you really want to do here is
> look at (*hdrptr)[1], but what the expression does is look at
> *(hdrptr[1]). Unfortunately, hdrptr[1] is usually random garbage.
Agreed. Same bug also lives in 2.4.x.
--yoshfuji
More information about the netfilter-devel
mailing list