netfilter: x_tables: validate e->target_offset early
Orabug:
24690280
CVE: CVE-2016-4997, CVE-2016-4998
We should check that e->target_offset is sane before
mark_source_chains gets called since it will fetch the target entry
for loop detection.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit
bdf533de6968e9686df777dc178486f600c6e617)
Signed-off-by: Brian Maly <brian.maly@oracle.com>
Conflicts:
net/ipv4/netfilter/arp_tables.c
net/ipv4/netfilter/ip_tables.c
net/ipv6/netfilter/ip6_tables.c
Signed-off-by: Brian Maly <brian.maly@oracle.com>