diff options
author | Patrick McHardy <kaber@trash.net> | 2006-03-20 21:01:43 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2006-03-20 21:01:43 -0500 |
commit | 7f9397138e297904bf1c717651183e785a01ff13 (patch) | |
tree | 67b39ba381e8ffd2340d002a118252be0fc2e923 | |
parent | aa83c1ab4384c0905527c84e5135a56daa885834 (diff) |
[NETFILTER]: Convert ip6_tables matches/targets to centralized error checking
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/ipv6/netfilter/ip6_tables.c | 23 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_HL.c | 17 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_LOG.c | 9 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_REJECT.c | 23 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_ah.c | 10 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_dst.c | 11 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_esp.c | 10 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_eui64.c | 26 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_frag.c | 11 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_hbh.c | 11 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_hl.c | 14 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_ipv6header.c | 6 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_multiport.c | 9 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_owner.c | 16 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_policy.c | 6 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6t_rt.c | 10 |
16 files changed, 47 insertions, 165 deletions
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index 1cd70683f2e2..e2e8d0140d7b 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c | |||
@@ -544,21 +544,12 @@ standard_check(const struct ip6t_entry_target *t, | |||
544 | struct ip6t_standard_target *targ = (void *)t; | 544 | struct ip6t_standard_target *targ = (void *)t; |
545 | 545 | ||
546 | /* Check standard info. */ | 546 | /* Check standard info. */ |
547 | if (t->u.target_size | ||
548 | != IP6T_ALIGN(sizeof(struct ip6t_standard_target))) { | ||
549 | duprintf("standard_check: target size %u != %u\n", | ||
550 | t->u.target_size, | ||
551 | IP6T_ALIGN(sizeof(struct ip6t_standard_target))); | ||
552 | return 0; | ||
553 | } | ||
554 | |||
555 | if (targ->verdict >= 0 | 547 | if (targ->verdict >= 0 |
556 | && targ->verdict > max_offset - sizeof(struct ip6t_entry)) { | 548 | && targ->verdict > max_offset - sizeof(struct ip6t_entry)) { |
557 | duprintf("ip6t_standard_check: bad verdict (%i)\n", | 549 | duprintf("ip6t_standard_check: bad verdict (%i)\n", |
558 | targ->verdict); | 550 | targ->verdict); |
559 | return 0; | 551 | return 0; |
560 | } | 552 | } |
561 | |||
562 | if (targ->verdict < -NF_MAX_VERDICT - 1) { | 553 | if (targ->verdict < -NF_MAX_VERDICT - 1) { |
563 | duprintf("ip6t_standard_check: bad negative verdict (%i)\n", | 554 | duprintf("ip6t_standard_check: bad negative verdict (%i)\n", |
564 | targ->verdict); | 555 | targ->verdict); |
@@ -1385,24 +1376,22 @@ icmp6_checkentry(const char *tablename, | |||
1385 | unsigned int matchsize, | 1376 | unsigned int matchsize, |
1386 | unsigned int hook_mask) | 1377 | unsigned int hook_mask) |
1387 | { | 1378 | { |
1388 | const struct ip6t_ip6 *ipv6 = entry; | ||
1389 | const struct ip6t_icmp *icmpinfo = matchinfo; | 1379 | const struct ip6t_icmp *icmpinfo = matchinfo; |
1390 | 1380 | ||
1391 | /* Must specify proto == ICMP, and no unknown invflags */ | 1381 | /* Must specify no unknown invflags */ |
1392 | return ipv6->proto == IPPROTO_ICMPV6 | 1382 | return !(icmpinfo->invflags & ~IP6T_ICMP_INV); |
1393 | && !(ipv6->invflags & IP6T_INV_PROTO) | ||
1394 | && matchsize == IP6T_ALIGN(sizeof(struct ip6t_icmp)) | ||
1395 | && !(icmpinfo->invflags & ~IP6T_ICMP_INV); | ||
1396 | } | 1383 | } |
1397 | 1384 | ||
1398 | /* The built-in targets: standard (NULL) and error. */ | 1385 | /* The built-in targets: standard (NULL) and error. */ |
1399 | static struct ip6t_target ip6t_standard_target = { | 1386 | static struct ip6t_target ip6t_standard_target = { |
1400 | .name = IP6T_STANDARD_TARGET, | 1387 | .name = IP6T_STANDARD_TARGET, |
1388 | .targetsize = sizeof(int), | ||
1401 | }; | 1389 | }; |
1402 | 1390 | ||
1403 | static struct ip6t_target ip6t_error_target = { | 1391 | static struct ip6t_target ip6t_error_target = { |
1404 | .name = IP6T_ERROR_TARGET, | 1392 | .name = IP6T_ERROR_TARGET, |
1405 | .target = ip6t_error, | 1393 | .target = ip6t_error, |
1394 | .targetsize = IP6T_FUNCTION_MAXNAMELEN, | ||
1406 | }; | 1395 | }; |
1407 | 1396 | ||
1408 | static struct nf_sockopt_ops ip6t_sockopts = { | 1397 | static struct nf_sockopt_ops ip6t_sockopts = { |
@@ -1418,7 +1407,9 @@ static struct nf_sockopt_ops ip6t_sockopts = { | |||
1418 | static struct ip6t_match icmp6_matchstruct = { | 1407 | static struct ip6t_match icmp6_matchstruct = { |
1419 | .name = "icmp6", | 1408 | .name = "icmp6", |
1420 | .match = &icmp6_match, | 1409 | .match = &icmp6_match, |
1421 | .checkentry = &icmp6_checkentry, | 1410 | .matchsize = sizeof(struct ip6t_icmp), |
1411 | .checkentry = icmp6_checkentry, | ||
1412 | .proto = IPPROTO_ICMPV6, | ||
1422 | }; | 1413 | }; |
1423 | 1414 | ||
1424 | static int __init init(void) | 1415 | static int __init init(void) |
diff --git a/net/ipv6/netfilter/ip6t_HL.c b/net/ipv6/netfilter/ip6t_HL.c index 306200c35057..ab39ee90418e 100644 --- a/net/ipv6/netfilter/ip6t_HL.c +++ b/net/ipv6/netfilter/ip6t_HL.c | |||
@@ -69,37 +69,24 @@ static int ip6t_hl_checkentry(const char *tablename, | |||
69 | { | 69 | { |
70 | struct ip6t_HL_info *info = targinfo; | 70 | struct ip6t_HL_info *info = targinfo; |
71 | 71 | ||
72 | if (targinfosize != IP6T_ALIGN(sizeof(struct ip6t_HL_info))) { | ||
73 | printk(KERN_WARNING "ip6t_HL: targinfosize %u != %Zu\n", | ||
74 | targinfosize, | ||
75 | IP6T_ALIGN(sizeof(struct ip6t_HL_info))); | ||
76 | return 0; | ||
77 | } | ||
78 | |||
79 | if (strcmp(tablename, "mangle")) { | ||
80 | printk(KERN_WARNING "ip6t_HL: can only be called from " | ||
81 | "\"mangle\" table, not \"%s\"\n", tablename); | ||
82 | return 0; | ||
83 | } | ||
84 | |||
85 | if (info->mode > IP6T_HL_MAXMODE) { | 72 | if (info->mode > IP6T_HL_MAXMODE) { |
86 | printk(KERN_WARNING "ip6t_HL: invalid or unknown Mode %u\n", | 73 | printk(KERN_WARNING "ip6t_HL: invalid or unknown Mode %u\n", |
87 | info->mode); | 74 | info->mode); |
88 | return 0; | 75 | return 0; |
89 | } | 76 | } |
90 | |||
91 | if ((info->mode != IP6T_HL_SET) && (info->hop_limit == 0)) { | 77 | if ((info->mode != IP6T_HL_SET) && (info->hop_limit == 0)) { |
92 | printk(KERN_WARNING "ip6t_HL: increment/decrement doesn't " | 78 | printk(KERN_WARNING "ip6t_HL: increment/decrement doesn't " |
93 | "make sense with value 0\n"); | 79 | "make sense with value 0\n"); |
94 | return 0; | 80 | return 0; |
95 | } | 81 | } |
96 | |||
97 | return 1; | 82 | return 1; |
98 | } | 83 | } |
99 | 84 | ||
100 | static struct ip6t_target ip6t_HL = { | 85 | static struct ip6t_target ip6t_HL = { |
101 | .name = "HL", | 86 | .name = "HL", |
102 | .target = ip6t_hl_target, | 87 | .target = ip6t_hl_target, |
88 | .targetsize = sizeof(struct ip6t_HL_info), | ||
89 | .table = "mangle", | ||
103 | .checkentry = ip6t_hl_checkentry, | 90 | .checkentry = ip6t_hl_checkentry, |
104 | .me = THIS_MODULE | 91 | .me = THIS_MODULE |
105 | }; | 92 | }; |
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c index 6b930efa9fb9..6a3a2da5f2b4 100644 --- a/net/ipv6/netfilter/ip6t_LOG.c +++ b/net/ipv6/netfilter/ip6t_LOG.c | |||
@@ -455,29 +455,22 @@ static int ip6t_log_checkentry(const char *tablename, | |||
455 | { | 455 | { |
456 | const struct ip6t_log_info *loginfo = targinfo; | 456 | const struct ip6t_log_info *loginfo = targinfo; |
457 | 457 | ||
458 | if (targinfosize != IP6T_ALIGN(sizeof(struct ip6t_log_info))) { | ||
459 | DEBUGP("LOG: targinfosize %u != %u\n", | ||
460 | targinfosize, IP6T_ALIGN(sizeof(struct ip6t_log_info))); | ||
461 | return 0; | ||
462 | } | ||
463 | |||
464 | if (loginfo->level >= 8) { | 458 | if (loginfo->level >= 8) { |
465 | DEBUGP("LOG: level %u >= 8\n", loginfo->level); | 459 | DEBUGP("LOG: level %u >= 8\n", loginfo->level); |
466 | return 0; | 460 | return 0; |
467 | } | 461 | } |
468 | |||
469 | if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') { | 462 | if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') { |
470 | DEBUGP("LOG: prefix term %i\n", | 463 | DEBUGP("LOG: prefix term %i\n", |
471 | loginfo->prefix[sizeof(loginfo->prefix)-1]); | 464 | loginfo->prefix[sizeof(loginfo->prefix)-1]); |
472 | return 0; | 465 | return 0; |
473 | } | 466 | } |
474 | |||
475 | return 1; | 467 | return 1; |
476 | } | 468 | } |
477 | 469 | ||
478 | static struct ip6t_target ip6t_log_reg = { | 470 | static struct ip6t_target ip6t_log_reg = { |
479 | .name = "LOG", | 471 | .name = "LOG", |
480 | .target = ip6t_log_target, | 472 | .target = ip6t_log_target, |
473 | .targetsize = sizeof(struct ip6t_log_info), | ||
481 | .checkentry = ip6t_log_checkentry, | 474 | .checkentry = ip6t_log_checkentry, |
482 | .me = THIS_MODULE, | 475 | .me = THIS_MODULE, |
483 | }; | 476 | }; |
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c index 0e6d1d4bbd5c..86407060f6da 100644 --- a/net/ipv6/netfilter/ip6t_REJECT.c +++ b/net/ipv6/netfilter/ip6t_REJECT.c | |||
@@ -228,24 +228,6 @@ static int check(const char *tablename, | |||
228 | const struct ip6t_reject_info *rejinfo = targinfo; | 228 | const struct ip6t_reject_info *rejinfo = targinfo; |
229 | const struct ip6t_entry *e = entry; | 229 | const struct ip6t_entry *e = entry; |
230 | 230 | ||
231 | if (targinfosize != IP6T_ALIGN(sizeof(struct ip6t_reject_info))) { | ||
232 | DEBUGP("ip6t_REJECT: targinfosize %u != 0\n", targinfosize); | ||
233 | return 0; | ||
234 | } | ||
235 | |||
236 | /* Only allow these for packet filtering. */ | ||
237 | if (strcmp(tablename, "filter") != 0) { | ||
238 | DEBUGP("ip6t_REJECT: bad table `%s'.\n", tablename); | ||
239 | return 0; | ||
240 | } | ||
241 | |||
242 | if ((hook_mask & ~((1 << NF_IP6_LOCAL_IN) | ||
243 | | (1 << NF_IP6_FORWARD) | ||
244 | | (1 << NF_IP6_LOCAL_OUT))) != 0) { | ||
245 | DEBUGP("ip6t_REJECT: bad hook mask %X\n", hook_mask); | ||
246 | return 0; | ||
247 | } | ||
248 | |||
249 | if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) { | 231 | if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) { |
250 | printk("ip6t_REJECT: ECHOREPLY is not supported.\n"); | 232 | printk("ip6t_REJECT: ECHOREPLY is not supported.\n"); |
251 | return 0; | 233 | return 0; |
@@ -257,13 +239,16 @@ static int check(const char *tablename, | |||
257 | return 0; | 239 | return 0; |
258 | } | 240 | } |
259 | } | 241 | } |
260 | |||
261 | return 1; | 242 | return 1; |
262 | } | 243 | } |
263 | 244 | ||
264 | static struct ip6t_target ip6t_reject_reg = { | 245 | static struct ip6t_target ip6t_reject_reg = { |
265 | .name = "REJECT", | 246 | .name = "REJECT", |
266 | .target = reject6_target, | 247 | .target = reject6_target, |
248 | .targetsize = sizeof(struct ip6t_reject_info), | ||
249 | .table = "filter", | ||
250 | .hooks = (1 << NF_IP6_LOCAL_IN) | (1 << NF_IP6_FORWARD) | | ||
251 | (1 << NF_IP6_LOCAL_OUT), | ||
267 | .checkentry = check, | 252 | .checkentry = check, |
268 | .me = THIS_MODULE | 253 | .me = THIS_MODULE |
269 | }; | 254 | }; |
diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c index 219a30365dff..28710edcff4e 100644 --- a/net/ipv6/netfilter/ip6t_ah.c +++ b/net/ipv6/netfilter/ip6t_ah.c | |||
@@ -105,11 +105,6 @@ checkentry(const char *tablename, | |||
105 | { | 105 | { |
106 | const struct ip6t_ah *ahinfo = matchinfo; | 106 | const struct ip6t_ah *ahinfo = matchinfo; |
107 | 107 | ||
108 | if (matchinfosize != IP6T_ALIGN(sizeof(struct ip6t_ah))) { | ||
109 | DEBUGP("ip6t_ah: matchsize %u != %u\n", | ||
110 | matchinfosize, IP6T_ALIGN(sizeof(struct ip6t_ah))); | ||
111 | return 0; | ||
112 | } | ||
113 | if (ahinfo->invflags & ~IP6T_AH_INV_MASK) { | 108 | if (ahinfo->invflags & ~IP6T_AH_INV_MASK) { |
114 | DEBUGP("ip6t_ah: unknown flags %X\n", ahinfo->invflags); | 109 | DEBUGP("ip6t_ah: unknown flags %X\n", ahinfo->invflags); |
115 | return 0; | 110 | return 0; |
@@ -119,8 +114,9 @@ checkentry(const char *tablename, | |||
119 | 114 | ||
120 | static struct ip6t_match ah_match = { | 115 | static struct ip6t_match ah_match = { |
121 | .name = "ah", | 116 | .name = "ah", |
122 | .match = &match, | 117 | .match = match, |
123 | .checkentry = &checkentry, | 118 | .matchsize = sizeof(struct ip6t_ah), |
119 | .checkentry = checkentry, | ||
124 | .me = THIS_MODULE, | 120 | .me = THIS_MODULE, |
125 | }; | 121 | }; |
126 | 122 | ||
diff --git a/net/ipv6/netfilter/ip6t_dst.c b/net/ipv6/netfilter/ip6t_dst.c index b4c153a53500..2fbde5944e00 100644 --- a/net/ipv6/netfilter/ip6t_dst.c +++ b/net/ipv6/netfilter/ip6t_dst.c | |||
@@ -185,16 +185,10 @@ checkentry(const char *tablename, | |||
185 | { | 185 | { |
186 | const struct ip6t_opts *optsinfo = matchinfo; | 186 | const struct ip6t_opts *optsinfo = matchinfo; |
187 | 187 | ||
188 | if (matchinfosize != IP6T_ALIGN(sizeof(struct ip6t_opts))) { | ||
189 | DEBUGP("ip6t_opts: matchsize %u != %u\n", | ||
190 | matchinfosize, IP6T_ALIGN(sizeof(struct ip6t_opts))); | ||
191 | return 0; | ||
192 | } | ||
193 | if (optsinfo->invflags & ~IP6T_OPTS_INV_MASK) { | 188 | if (optsinfo->invflags & ~IP6T_OPTS_INV_MASK) { |
194 | DEBUGP("ip6t_opts: unknown flags %X\n", optsinfo->invflags); | 189 | DEBUGP("ip6t_opts: unknown flags %X\n", optsinfo->invflags); |
195 | return 0; | 190 | return 0; |
196 | } | 191 | } |
197 | |||
198 | return 1; | 192 | return 1; |
199 | } | 193 | } |
200 | 194 | ||
@@ -204,8 +198,9 @@ static struct ip6t_match opts_match = { | |||
204 | #else | 198 | #else |
205 | .name = "dst", | 199 | .name = "dst", |
206 | #endif | 200 | #endif |
207 | .match = &match, | 201 | .match = match, |
208 | .checkentry = &checkentry, | 202 | .matchsize = sizeof(struct ip6t_opts), |
203 | .checkentry = checkentry, | ||
209 | .me = THIS_MODULE, | 204 | .me = THIS_MODULE, |
210 | }; | 205 | }; |
211 | 206 | ||
diff --git a/net/ipv6/netfilter/ip6t_esp.c b/net/ipv6/netfilter/ip6t_esp.c index 724285df8711..ede722328c3d 100644 --- a/net/ipv6/netfilter/ip6t_esp.c +++ b/net/ipv6/netfilter/ip6t_esp.c | |||
@@ -83,11 +83,6 @@ checkentry(const char *tablename, | |||
83 | { | 83 | { |
84 | const struct ip6t_esp *espinfo = matchinfo; | 84 | const struct ip6t_esp *espinfo = matchinfo; |
85 | 85 | ||
86 | if (matchinfosize != IP6T_ALIGN(sizeof(struct ip6t_esp))) { | ||
87 | DEBUGP("ip6t_esp: matchsize %u != %u\n", | ||
88 | matchinfosize, IP6T_ALIGN(sizeof(struct ip6t_esp))); | ||
89 | return 0; | ||
90 | } | ||
91 | if (espinfo->invflags & ~IP6T_ESP_INV_MASK) { | 86 | if (espinfo->invflags & ~IP6T_ESP_INV_MASK) { |
92 | DEBUGP("ip6t_esp: unknown flags %X\n", | 87 | DEBUGP("ip6t_esp: unknown flags %X\n", |
93 | espinfo->invflags); | 88 | espinfo->invflags); |
@@ -98,8 +93,9 @@ checkentry(const char *tablename, | |||
98 | 93 | ||
99 | static struct ip6t_match esp_match = { | 94 | static struct ip6t_match esp_match = { |
100 | .name = "esp", | 95 | .name = "esp", |
101 | .match = &match, | 96 | .match = match, |
102 | .checkentry = &checkentry, | 97 | .matchsize = sizeof(struct ip6t_esp), |
98 | .checkentry = checkentry, | ||
103 | .me = THIS_MODULE, | 99 | .me = THIS_MODULE, |
104 | }; | 100 | }; |
105 | 101 | ||
diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c index 27396ac0b9ed..bfee5be7e57b 100644 --- a/net/ipv6/netfilter/ip6t_eui64.c +++ b/net/ipv6/netfilter/ip6t_eui64.c | |||
@@ -60,30 +60,12 @@ match(const struct sk_buff *skb, | |||
60 | return 0; | 60 | return 0; |
61 | } | 61 | } |
62 | 62 | ||
63 | static int | ||
64 | ip6t_eui64_checkentry(const char *tablename, | ||
65 | const void *ip, | ||
66 | void *matchinfo, | ||
67 | unsigned int matchsize, | ||
68 | unsigned int hook_mask) | ||
69 | { | ||
70 | if (hook_mask | ||
71 | & ~((1 << NF_IP6_PRE_ROUTING) | (1 << NF_IP6_LOCAL_IN) | | ||
72 | (1 << NF_IP6_FORWARD))) { | ||
73 | printk("ip6t_eui64: only valid for PRE_ROUTING, LOCAL_IN or FORWARD.\n"); | ||
74 | return 0; | ||
75 | } | ||
76 | |||
77 | if (matchsize != IP6T_ALIGN(sizeof(int))) | ||
78 | return 0; | ||
79 | |||
80 | return 1; | ||
81 | } | ||
82 | |||
83 | static struct ip6t_match eui64_match = { | 63 | static struct ip6t_match eui64_match = { |
84 | .name = "eui64", | 64 | .name = "eui64", |
85 | .match = &match, | 65 | .match = match, |
86 | .checkentry = &ip6t_eui64_checkentry, | 66 | .matchsize = sizeof(int), |
67 | .hooks = (1 << NF_IP6_PRE_ROUTING) | (1 << NF_IP6_LOCAL_IN) | | ||
68 | (1 << NF_IP6_FORWARD), | ||
87 | .me = THIS_MODULE, | 69 | .me = THIS_MODULE, |
88 | }; | 70 | }; |
89 | 71 | ||
diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c index 4c14125a0e26..305de9bc6731 100644 --- a/net/ipv6/netfilter/ip6t_frag.c +++ b/net/ipv6/netfilter/ip6t_frag.c | |||
@@ -122,23 +122,18 @@ checkentry(const char *tablename, | |||
122 | { | 122 | { |
123 | const struct ip6t_frag *fraginfo = matchinfo; | 123 | const struct ip6t_frag *fraginfo = matchinfo; |
124 | 124 | ||
125 | if (matchinfosize != IP6T_ALIGN(sizeof(struct ip6t_frag))) { | ||
126 | DEBUGP("ip6t_frag: matchsize %u != %u\n", | ||
127 | matchinfosize, IP6T_ALIGN(sizeof(struct ip6t_frag))); | ||
128 | return 0; | ||
129 | } | ||
130 | if (fraginfo->invflags & ~IP6T_FRAG_INV_MASK) { | 125 | if (fraginfo->invflags & ~IP6T_FRAG_INV_MASK) { |
131 | DEBUGP("ip6t_frag: unknown flags %X\n", fraginfo->invflags); | 126 | DEBUGP("ip6t_frag: unknown flags %X\n", fraginfo->invflags); |
132 | return 0; | 127 | return 0; |
133 | } | 128 | } |
134 | |||
135 | return 1; | 129 | return 1; |
136 | } | 130 | } |
137 | 131 | ||
138 | static struct ip6t_match frag_match = { | 132 | static struct ip6t_match frag_match = { |
139 | .name = "frag", | 133 | .name = "frag", |
140 | .match = &match, | 134 | .match = match, |
141 | .checkentry = &checkentry, | 135 | .matchsize = sizeof(struct ip6t_frag), |
136 | .checkentry = checkentry, | ||
142 | .me = THIS_MODULE, | 137 | .me = THIS_MODULE, |
143 | }; | 138 | }; |
144 | 139 | ||
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c index 37a8474a7e0c..ac8d4791bc2a 100644 --- a/net/ipv6/netfilter/ip6t_hbh.c +++ b/net/ipv6/netfilter/ip6t_hbh.c | |||
@@ -185,16 +185,10 @@ checkentry(const char *tablename, | |||
185 | { | 185 | { |
186 | const struct ip6t_opts *optsinfo = matchinfo; | 186 | const struct ip6t_opts *optsinfo = matchinfo; |
187 | 187 | ||
188 | if (matchinfosize != IP6T_ALIGN(sizeof(struct ip6t_opts))) { | ||
189 | DEBUGP("ip6t_opts: matchsize %u != %u\n", | ||
190 | matchinfosize, IP6T_ALIGN(sizeof(struct ip6t_opts))); | ||
191 | return 0; | ||
192 | } | ||
193 | if (optsinfo->invflags & ~IP6T_OPTS_INV_MASK) { | 188 | if (optsinfo->invflags & ~IP6T_OPTS_INV_MASK) { |
194 | DEBUGP("ip6t_opts: unknown flags %X\n", optsinfo->invflags); | 189 | DEBUGP("ip6t_opts: unknown flags %X\n", optsinfo->invflags); |
195 | return 0; | 190 | return 0; |
196 | } | 191 | } |
197 | |||
198 | return 1; | 192 | return 1; |
199 | } | 193 | } |
200 | 194 | ||
@@ -204,8 +198,9 @@ static struct ip6t_match opts_match = { | |||
204 | #else | 198 | #else |
205 | .name = "dst", | 199 | .name = "dst", |
206 | #endif | 200 | #endif |
207 | .match = &match, | 201 | .match = match, |
208 | .checkentry = &checkentry, | 202 | .matchsize = sizeof(struct ip6t_opts), |
203 | .checkentry = checkentry, | ||
209 | .me = THIS_MODULE, | 204 | .me = THIS_MODULE, |
210 | }; | 205 | }; |
211 | 206 | ||
diff --git a/net/ipv6/netfilter/ip6t_hl.c b/net/ipv6/netfilter/ip6t_hl.c index c5d9079f2d9d..1eabb6507300 100644 --- a/net/ipv6/netfilter/ip6t_hl.c +++ b/net/ipv6/netfilter/ip6t_hl.c | |||
@@ -48,20 +48,10 @@ static int match(const struct sk_buff *skb, const struct net_device *in, | |||
48 | return 0; | 48 | return 0; |
49 | } | 49 | } |
50 | 50 | ||
51 | static int checkentry(const char *tablename, const void *entry, | ||
52 | void *matchinfo, unsigned int matchsize, | ||
53 | unsigned int hook_mask) | ||
54 | { | ||
55 | if (matchsize != IP6T_ALIGN(sizeof(struct ip6t_hl_info))) | ||
56 | return 0; | ||
57 | |||
58 | return 1; | ||
59 | } | ||
60 | |||
61 | static struct ip6t_match hl_match = { | 51 | static struct ip6t_match hl_match = { |
62 | .name = "hl", | 52 | .name = "hl", |
63 | .match = &match, | 53 | .match = match, |
64 | .checkentry = &checkentry, | 54 | .matchsize = sizeof(struct ip6t_hl_info), |
65 | .me = THIS_MODULE, | 55 | .me = THIS_MODULE, |
66 | }; | 56 | }; |
67 | 57 | ||
diff --git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c index 83ad6b272f7e..063032a214c7 100644 --- a/net/ipv6/netfilter/ip6t_ipv6header.c +++ b/net/ipv6/netfilter/ip6t_ipv6header.c | |||
@@ -131,11 +131,6 @@ ipv6header_checkentry(const char *tablename, | |||
131 | { | 131 | { |
132 | const struct ip6t_ipv6header_info *info = matchinfo; | 132 | const struct ip6t_ipv6header_info *info = matchinfo; |
133 | 133 | ||
134 | /* Check for obvious errors */ | ||
135 | /* This match is valid in all hooks! */ | ||
136 | if (matchsize != IP6T_ALIGN(sizeof(struct ip6t_ipv6header_info))) | ||
137 | return 0; | ||
138 | |||
139 | /* invflags is 0 or 0xff in hard mode */ | 134 | /* invflags is 0 or 0xff in hard mode */ |
140 | if ((!info->modeflag) && info->invflags != 0x00 && | 135 | if ((!info->modeflag) && info->invflags != 0x00 && |
141 | info->invflags != 0xFF) | 136 | info->invflags != 0xFF) |
@@ -147,6 +142,7 @@ ipv6header_checkentry(const char *tablename, | |||
147 | static struct ip6t_match ip6t_ipv6header_match = { | 142 | static struct ip6t_match ip6t_ipv6header_match = { |
148 | .name = "ipv6header", | 143 | .name = "ipv6header", |
149 | .match = &ipv6header_match, | 144 | .match = &ipv6header_match, |
145 | .matchsize = sizeof(struct ip6t_ipv6header_info), | ||
150 | .checkentry = &ipv6header_checkentry, | 146 | .checkentry = &ipv6header_checkentry, |
151 | .destroy = NULL, | 147 | .destroy = NULL, |
152 | .me = THIS_MODULE, | 148 | .me = THIS_MODULE, |
diff --git a/net/ipv6/netfilter/ip6t_multiport.c b/net/ipv6/netfilter/ip6t_multiport.c index 49f7829dfbc2..b86774daf170 100644 --- a/net/ipv6/netfilter/ip6t_multiport.c +++ b/net/ipv6/netfilter/ip6t_multiport.c | |||
@@ -92,13 +92,9 @@ checkentry(const char *tablename, | |||
92 | const struct ip6t_ip6 *ip = info; | 92 | const struct ip6t_ip6 *ip = info; |
93 | const struct ip6t_multiport *multiinfo = matchinfo; | 93 | const struct ip6t_multiport *multiinfo = matchinfo; |
94 | 94 | ||
95 | if (matchsize != IP6T_ALIGN(sizeof(struct ip6t_multiport))) | ||
96 | return 0; | ||
97 | |||
98 | /* Must specify proto == TCP/UDP, no unknown flags or bad count */ | 95 | /* Must specify proto == TCP/UDP, no unknown flags or bad count */ |
99 | return (ip->proto == IPPROTO_TCP || ip->proto == IPPROTO_UDP) | 96 | return (ip->proto == IPPROTO_TCP || ip->proto == IPPROTO_UDP) |
100 | && !(ip->invflags & IP6T_INV_PROTO) | 97 | && !(ip->invflags & IP6T_INV_PROTO) |
101 | && matchsize == IP6T_ALIGN(sizeof(struct ip6t_multiport)) | ||
102 | && (multiinfo->flags == IP6T_MULTIPORT_SOURCE | 98 | && (multiinfo->flags == IP6T_MULTIPORT_SOURCE |
103 | || multiinfo->flags == IP6T_MULTIPORT_DESTINATION | 99 | || multiinfo->flags == IP6T_MULTIPORT_DESTINATION |
104 | || multiinfo->flags == IP6T_MULTIPORT_EITHER) | 100 | || multiinfo->flags == IP6T_MULTIPORT_EITHER) |
@@ -107,8 +103,9 @@ checkentry(const char *tablename, | |||
107 | 103 | ||
108 | static struct ip6t_match multiport_match = { | 104 | static struct ip6t_match multiport_match = { |
109 | .name = "multiport", | 105 | .name = "multiport", |
110 | .match = &match, | 106 | .match = match, |
111 | .checkentry = &checkentry, | 107 | .matchsize = sizeof(struct ip6t_multiport), |
108 | .checkentry = checkentry, | ||
112 | .me = THIS_MODULE, | 109 | .me = THIS_MODULE, |
113 | }; | 110 | }; |
114 | 111 | ||
diff --git a/net/ipv6/netfilter/ip6t_owner.c b/net/ipv6/netfilter/ip6t_owner.c index 8c8a4c7ec934..e26cd6da0420 100644 --- a/net/ipv6/netfilter/ip6t_owner.c +++ b/net/ipv6/netfilter/ip6t_owner.c | |||
@@ -60,28 +60,20 @@ checkentry(const char *tablename, | |||
60 | { | 60 | { |
61 | const struct ip6t_owner_info *info = matchinfo; | 61 | const struct ip6t_owner_info *info = matchinfo; |
62 | 62 | ||
63 | if (hook_mask | ||
64 | & ~((1 << NF_IP6_LOCAL_OUT) | (1 << NF_IP6_POST_ROUTING))) { | ||
65 | printk("ip6t_owner: only valid for LOCAL_OUT or POST_ROUTING.\n"); | ||
66 | return 0; | ||
67 | } | ||
68 | |||
69 | if (matchsize != IP6T_ALIGN(sizeof(struct ip6t_owner_info))) | ||
70 | return 0; | ||
71 | |||
72 | if (info->match & (IP6T_OWNER_PID | IP6T_OWNER_SID)) { | 63 | if (info->match & (IP6T_OWNER_PID | IP6T_OWNER_SID)) { |
73 | printk("ipt_owner: pid and sid matching " | 64 | printk("ipt_owner: pid and sid matching " |
74 | "not supported anymore\n"); | 65 | "not supported anymore\n"); |
75 | return 0; | 66 | return 0; |
76 | } | 67 | } |
77 | |||
78 | return 1; | 68 | return 1; |
79 | } | 69 | } |
80 | 70 | ||
81 | static struct ip6t_match owner_match = { | 71 | static struct ip6t_match owner_match = { |
82 | .name = "owner", | 72 | .name = "owner", |
83 | .match = &match, | 73 | .match = match, |
84 | .checkentry = &checkentry, | 74 | .matchsize = sizeof(struct ip6t_owner_info), |
75 | .hooks = (1 << NF_IP6_LOCAL_OUT) | (1 << NF_IP6_POST_ROUTING), | ||
76 | .checkentry = checkentry, | ||
85 | .me = THIS_MODULE, | 77 | .me = THIS_MODULE, |
86 | }; | 78 | }; |
87 | 79 | ||
diff --git a/net/ipv6/netfilter/ip6t_policy.c b/net/ipv6/netfilter/ip6t_policy.c index 3d39ec924041..ac8a5447aa85 100644 --- a/net/ipv6/netfilter/ip6t_policy.c +++ b/net/ipv6/netfilter/ip6t_policy.c | |||
@@ -125,11 +125,6 @@ static int checkentry(const char *tablename, const void *ip_void, | |||
125 | { | 125 | { |
126 | struct ip6t_policy_info *info = matchinfo; | 126 | struct ip6t_policy_info *info = matchinfo; |
127 | 127 | ||
128 | if (matchsize != IP6T_ALIGN(sizeof(*info))) { | ||
129 | printk(KERN_ERR "ip6t_policy: matchsize %u != %zu\n", | ||
130 | matchsize, IP6T_ALIGN(sizeof(*info))); | ||
131 | return 0; | ||
132 | } | ||
133 | if (!(info->flags & (IP6T_POLICY_MATCH_IN|IP6T_POLICY_MATCH_OUT))) { | 128 | if (!(info->flags & (IP6T_POLICY_MATCH_IN|IP6T_POLICY_MATCH_OUT))) { |
134 | printk(KERN_ERR "ip6t_policy: neither incoming nor " | 129 | printk(KERN_ERR "ip6t_policy: neither incoming nor " |
135 | "outgoing policy selected\n"); | 130 | "outgoing policy selected\n"); |
@@ -158,6 +153,7 @@ static int checkentry(const char *tablename, const void *ip_void, | |||
158 | static struct ip6t_match policy_match = { | 153 | static struct ip6t_match policy_match = { |
159 | .name = "policy", | 154 | .name = "policy", |
160 | .match = match, | 155 | .match = match, |
156 | .matchsize = sizeof(struct ip6t_policy_info), | ||
161 | .checkentry = checkentry, | 157 | .checkentry = checkentry, |
162 | .me = THIS_MODULE, | 158 | .me = THIS_MODULE, |
163 | }; | 159 | }; |
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c index 8f82476dc89e..a3810748f547 100644 --- a/net/ipv6/netfilter/ip6t_rt.c +++ b/net/ipv6/netfilter/ip6t_rt.c | |||
@@ -200,11 +200,6 @@ checkentry(const char *tablename, | |||
200 | { | 200 | { |
201 | const struct ip6t_rt *rtinfo = matchinfo; | 201 | const struct ip6t_rt *rtinfo = matchinfo; |
202 | 202 | ||
203 | if (matchinfosize != IP6T_ALIGN(sizeof(struct ip6t_rt))) { | ||
204 | DEBUGP("ip6t_rt: matchsize %u != %u\n", | ||
205 | matchinfosize, IP6T_ALIGN(sizeof(struct ip6t_rt))); | ||
206 | return 0; | ||
207 | } | ||
208 | if (rtinfo->invflags & ~IP6T_RT_INV_MASK) { | 203 | if (rtinfo->invflags & ~IP6T_RT_INV_MASK) { |
209 | DEBUGP("ip6t_rt: unknown flags %X\n", rtinfo->invflags); | 204 | DEBUGP("ip6t_rt: unknown flags %X\n", rtinfo->invflags); |
210 | return 0; | 205 | return 0; |
@@ -222,8 +217,9 @@ checkentry(const char *tablename, | |||
222 | 217 | ||
223 | static struct ip6t_match rt_match = { | 218 | static struct ip6t_match rt_match = { |
224 | .name = "rt", | 219 | .name = "rt", |
225 | .match = &match, | 220 | .match = match, |
226 | .checkentry = &checkentry, | 221 | .matchsize = sizeof(struct ip6t_rt), |
222 | .checkentry = checkentry, | ||
227 | .me = THIS_MODULE, | 223 | .me = THIS_MODULE, |
228 | }; | 224 | }; |
229 | 225 | ||