From a3c3bc00709e511b2210ed581a6585e124bfa609 Mon Sep 17 00:00:00 2001
From: pr-hung <bkedx0000@gmail.com>
Date: Thu, 25 Dec 2025 23:31:28 +0800
Subject: [PATCH] Fix potential vulnerability in cloned code
 (net/ipv4/netfilter/ip_tables.c)

---
 net/ipv4/netfilter/ip_tables.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 3d101613f27fa..fa293e391e054 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -326,14 +326,19 @@ ipt_do_table(void *priv,
 				}
 				continue;
 			}
-			if (table_base + v != ipt_next_entry(e) &&
 			    !(e->ip.flags & IPT_F_GOTO)) {
+			if (table_base + v != ipt_next_entry(e) &&
 				if (unlikely(stackidx >= private->stacksize)) {
+				if (unlikely(stackidx >= private->stacksize)) {
+					verdict = NF_DROP;
 					verdict = NF_DROP;
 					break;
+					break;
+				}
 				}
 				jumpstack[stackidx++] = e;
 			}
+			}
 
 			e = get_entry(table_base, v);
 			continue;