Commit 9d3f027327c2 for kernel

commit 9d3f027327c2fa265f7f85ead41294792c3296ed
Author: Ren Wei <n05ec@lzu.edu.cn>
Date:   Wed Mar 25 14:11:00 2026 +0100

    netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()

    Reject rt match rules whose addrnr exceeds IP6T_RT_HOPS.

    rt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[].
    Validate addrnr during rule installation so malformed rules are rejected
    before the match logic can use an out-of-range value.

    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Reported-by: Yifan Wu <yifanwucs@gmail.com>
    Reported-by: Juefei Pu <tomapufckgml@gmail.com>
    Co-developed-by: Yuan Tan <yuantan098@gmail.com>
    Signed-off-by: Yuan Tan <yuantan098@gmail.com>
    Suggested-by: Xin Liu <bird@lzu.edu.cn>
    Tested-by: Yuhang Zheng <z1652074432@gmail.com>
    Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index 4ad8b2032f1f..5561bd9cea81 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -157,6 +157,10 @@ static int rt_mt6_check(const struct xt_mtchk_param *par)
 		pr_debug("unknown flags %X\n", rtinfo->invflags);
 		return -EINVAL;
 	}
+	if (rtinfo->addrnr > IP6T_RT_HOPS) {
+		pr_debug("too many addresses specified\n");
+		return -EINVAL;
+	}
 	if ((rtinfo->flags & (IP6T_RT_RES | IP6T_RT_FST_MASK)) &&
 	    (!(rtinfo->flags & IP6T_RT_TYP) ||
 	     (rtinfo->rt_type != 0) ||