netfilter: nfnetlink_hook: fix array index out-of-bounds error

Currently the array net->nf.hooks_ipv6 is accessed by index hook
before hook is sanity checked. Fix this by moving the sanity check
to before the array access.

Addresses-Coverity: ("Out-of-bounds access")
Fixes: e2cf17d3774c ("netfilter: add new hook nfnl subsystem")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nfnetlink_hook.c b/net/netfilter/nfnetlink_hook.c
index 04586dfa2acdbc67634f62838af5a6da6febbda6..58fda6ac663bc72f1c2cdf98bcd3b144f5e80967 100644 (file)
--- a/net/netfilter/nfnetlink_hook.c
+++ b/net/netfilter/nfnetlink_hook.c
@@ -181,9 +181,9 @@ nfnl_hook_entries_head(u8 pf, unsigned int hook, struct net *net, const char *de
                hook_head = rcu_dereference(net->nf.hooks_ipv4[hook]);
                break;
        case NFPROTO_IPV6:
-               hook_head = rcu_dereference(net->nf.hooks_ipv6[hook]);
                if (hook >= ARRAY_SIZE(net->nf.hooks_ipv6))
                        return ERR_PTR(-EINVAL);
+               hook_head = rcu_dereference(net->nf.hooks_ipv6[hook]);
                break;
        case NFPROTO_ARP:
 #ifdef CONFIG_NETFILTER_FAMILY_ARP