diff options
| -rw-r--r-- | net/netfilter/nf_conntrack_ftp.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c index de83bf9e6c61..dc6f0017ca6b 100644 --- a/net/netfilter/nf_conntrack_ftp.c +++ b/net/netfilter/nf_conntrack_ftp.c @@ -120,6 +120,8 @@ static int try_number(const char *data, size_t dlen, u_int32_t array[], for (i = 0, len = 0; len < dlen && i < array_size; len++, data++) { if (*data >= '0' && *data <= '9') { array[i] = array[i]*10 + *data - '0'; + if (array[i] > 255) + return 0; } else if (*data == sep) i++; @@ -189,7 +191,7 @@ static int try_rfc1123(const char *data, size_t dlen, static int get_port(const char *data, int start, size_t dlen, char delim, __be16 *port) { - u_int16_t tmp_port = 0; + u32 tmp_port = 0; int i; for (i = start; i < dlen; i++) { @@ -200,10 +202,11 @@ static int get_port(const char *data, int start, size_t dlen, char delim, *port = htons(tmp_port); pr_debug("get_port: return %d\n", tmp_port); return i + 1; - } - else if (data[i] >= '0' && data[i] <= '9') + } else if (data[i] >= '0' && data[i] <= '9') { tmp_port = tmp_port*10 + data[i] - '0'; - else { /* Some other crap */ + if (tmp_port > 65535) + break; + } else { /* Some other crap */ pr_debug("get_port: invalid char.\n"); break; } |