diff options
| author | Hagen Paul Pfeifer <hagen@jauu.net> | 2009-02-20 04:48:06 -0500 |
|---|---|---|
| committer | Patrick McHardy <kaber@trash.net> | 2009-02-20 04:48:06 -0500 |
| commit | af07d241dc76f0a52c7ff04df3a3970020fe6157 (patch) | |
| tree | c1461cfc8c0ab342996efd6982e9b376dea62f54 /net/netfilter | |
| parent | e478075c6f07a383c378fb400edc1a7407a941b0 (diff) | |
netfilter: fix hardcoded size assumptions
get_random_bytes() is sometimes called with a hard coded size assumption
of an integer. This could not be true for next centuries. This patch
replace it with a compile time statement.
Signed-off-by: Hagen Paul Pfeifer <hagen@jauu.net>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net/netfilter')
| -rw-r--r-- | net/netfilter/nf_conntrack_core.c | 5 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_expect.c | 3 | ||||
| -rw-r--r-- | net/netfilter/xt_hashlimit.c | 2 |
3 files changed, 6 insertions, 4 deletions
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index f3aa4e65b15..2235432c59d 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c | |||
| @@ -472,7 +472,8 @@ struct nf_conn *nf_conntrack_alloc(struct net *net, | |||
| 472 | struct nf_conn *ct; | 472 | struct nf_conn *ct; |
| 473 | 473 | ||
| 474 | if (unlikely(!nf_conntrack_hash_rnd_initted)) { | 474 | if (unlikely(!nf_conntrack_hash_rnd_initted)) { |
| 475 | get_random_bytes(&nf_conntrack_hash_rnd, 4); | 475 | get_random_bytes(&nf_conntrack_hash_rnd, |
| 476 | sizeof(nf_conntrack_hash_rnd)); | ||
| 476 | nf_conntrack_hash_rnd_initted = 1; | 477 | nf_conntrack_hash_rnd_initted = 1; |
| 477 | } | 478 | } |
| 478 | 479 | ||
| @@ -1103,7 +1104,7 @@ int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp) | |||
| 1103 | 1104 | ||
| 1104 | /* We have to rehahs for the new table anyway, so we also can | 1105 | /* We have to rehahs for the new table anyway, so we also can |
| 1105 | * use a newrandom seed */ | 1106 | * use a newrandom seed */ |
| 1106 | get_random_bytes(&rnd, 4); | 1107 | get_random_bytes(&rnd, sizeof(rnd)); |
| 1107 | 1108 | ||
| 1108 | /* Lookups in the old hash might happen in parallel, which means we | 1109 | /* Lookups in the old hash might happen in parallel, which means we |
| 1109 | * might get false negatives during connection lookup. New connections | 1110 | * might get false negatives during connection lookup. New connections |
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c index 3a8a34a6d37..357ba39d4c8 100644 --- a/net/netfilter/nf_conntrack_expect.c +++ b/net/netfilter/nf_conntrack_expect.c | |||
| @@ -72,7 +72,8 @@ static unsigned int nf_ct_expect_dst_hash(const struct nf_conntrack_tuple *tuple | |||
| 72 | unsigned int hash; | 72 | unsigned int hash; |
| 73 | 73 | ||
| 74 | if (unlikely(!nf_ct_expect_hash_rnd_initted)) { | 74 | if (unlikely(!nf_ct_expect_hash_rnd_initted)) { |
| 75 | get_random_bytes(&nf_ct_expect_hash_rnd, 4); | 75 | get_random_bytes(&nf_ct_expect_hash_rnd, |
| 76 | sizeof(nf_ct_expect_hash_rnd)); | ||
| 76 | nf_ct_expect_hash_rnd_initted = 1; | 77 | nf_ct_expect_hash_rnd_initted = 1; |
| 77 | } | 78 | } |
| 78 | 79 | ||
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c index f97fded024c..2482055e1c5 100644 --- a/net/netfilter/xt_hashlimit.c +++ b/net/netfilter/xt_hashlimit.c | |||
| @@ -149,7 +149,7 @@ dsthash_alloc_init(struct xt_hashlimit_htable *ht, | |||
| 149 | /* initialize hash with random val at the time we allocate | 149 | /* initialize hash with random val at the time we allocate |
| 150 | * the first hashtable entry */ | 150 | * the first hashtable entry */ |
| 151 | if (!ht->rnd_initialized) { | 151 | if (!ht->rnd_initialized) { |
| 152 | get_random_bytes(&ht->rnd, 4); | 152 | get_random_bytes(&ht->rnd, sizeof(ht->rnd)); |
| 153 | ht->rnd_initialized = 1; | 153 | ht->rnd_initialized = 1; |
| 154 | } | 154 | } |
| 155 | 155 | ||