diff options
| author | Jan Engelhardt <jengelh@medozas.de> | 2009-07-18 08:52:58 -0400 |
|---|---|---|
| committer | Jan Engelhardt <jengelh@medozas.de> | 2009-08-10 07:35:28 -0400 |
| commit | a7d51738e757c1ab94595e7d05594c61f0fb32ce (patch) | |
| tree | af862be9cb71bf2ef66cd7fb72ed582428ccbc1d /net/ipv4 | |
| parent | 47901dc2c4a3f1f9af453486a005d31fe9b393f0 (diff) | |
netfilter: xtables: ignore unassigned hooks in check_entry_size_and_hooks
The "hook_entry" and "underflow" array contains values even for hooks
not provided, such as PREROUTING in conjunction with the "filter"
table. Usually, the values point to whatever the next rule is. For
the upcoming unconditionality and underflow checking patches however,
we must not inspect that arbitrary rule.
Skipping unassigned hooks seems like a good idea, also because
newinfo->hook_entry and newinfo->underflow will then continue to have
the poison value for detecting abnormalities.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Diffstat (limited to 'net/ipv4')
| -rw-r--r-- | net/ipv4/netfilter/arp_tables.c | 5 | ||||
| -rw-r--r-- | net/ipv4/netfilter/ip_tables.c | 5 |
2 files changed, 8 insertions, 2 deletions
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index b9f7243f4220..d91f0834d572 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c | |||
| @@ -539,6 +539,7 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e, | |||
| 539 | unsigned char *limit, | 539 | unsigned char *limit, |
| 540 | const unsigned int *hook_entries, | 540 | const unsigned int *hook_entries, |
| 541 | const unsigned int *underflows, | 541 | const unsigned int *underflows, |
| 542 | unsigned int valid_hooks, | ||
| 542 | unsigned int *i) | 543 | unsigned int *i) |
| 543 | { | 544 | { |
| 544 | unsigned int h; | 545 | unsigned int h; |
| @@ -558,6 +559,8 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e, | |||
| 558 | 559 | ||
| 559 | /* Check hooks & underflows */ | 560 | /* Check hooks & underflows */ |
| 560 | for (h = 0; h < NF_ARP_NUMHOOKS; h++) { | 561 | for (h = 0; h < NF_ARP_NUMHOOKS; h++) { |
| 562 | if (!(valid_hooks & (1 << h))) | ||
| 563 | continue; | ||
| 561 | if ((unsigned char *)e - base == hook_entries[h]) | 564 | if ((unsigned char *)e - base == hook_entries[h]) |
| 562 | newinfo->hook_entry[h] = hook_entries[h]; | 565 | newinfo->hook_entry[h] = hook_entries[h]; |
| 563 | if ((unsigned char *)e - base == underflows[h]) | 566 | if ((unsigned char *)e - base == underflows[h]) |
| @@ -626,7 +629,7 @@ static int translate_table(const char *name, | |||
| 626 | newinfo, | 629 | newinfo, |
| 627 | entry0, | 630 | entry0, |
| 628 | entry0 + size, | 631 | entry0 + size, |
| 629 | hook_entries, underflows, &i); | 632 | hook_entries, underflows, valid_hooks, &i); |
| 630 | duprintf("translate_table: ARPT_ENTRY_ITERATE gives %d\n", ret); | 633 | duprintf("translate_table: ARPT_ENTRY_ITERATE gives %d\n", ret); |
| 631 | if (ret != 0) | 634 | if (ret != 0) |
| 632 | return ret; | 635 | return ret; |
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index 3431a771ff1f..6e7b7e8b80b1 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c | |||
| @@ -714,6 +714,7 @@ check_entry_size_and_hooks(struct ipt_entry *e, | |||
| 714 | unsigned char *limit, | 714 | unsigned char *limit, |
| 715 | const unsigned int *hook_entries, | 715 | const unsigned int *hook_entries, |
| 716 | const unsigned int *underflows, | 716 | const unsigned int *underflows, |
| 717 | unsigned int valid_hooks, | ||
| 717 | unsigned int *i) | 718 | unsigned int *i) |
| 718 | { | 719 | { |
| 719 | unsigned int h; | 720 | unsigned int h; |
| @@ -733,6 +734,8 @@ check_entry_size_and_hooks(struct ipt_entry *e, | |||
| 733 | 734 | ||
| 734 | /* Check hooks & underflows */ | 735 | /* Check hooks & underflows */ |
| 735 | for (h = 0; h < NF_INET_NUMHOOKS; h++) { | 736 | for (h = 0; h < NF_INET_NUMHOOKS; h++) { |
| 737 | if (!(valid_hooks & (1 << h))) | ||
| 738 | continue; | ||
| 736 | if ((unsigned char *)e - base == hook_entries[h]) | 739 | if ((unsigned char *)e - base == hook_entries[h]) |
| 737 | newinfo->hook_entry[h] = hook_entries[h]; | 740 | newinfo->hook_entry[h] = hook_entries[h]; |
| 738 | if ((unsigned char *)e - base == underflows[h]) | 741 | if ((unsigned char *)e - base == underflows[h]) |
| @@ -804,7 +807,7 @@ translate_table(const char *name, | |||
| 804 | newinfo, | 807 | newinfo, |
| 805 | entry0, | 808 | entry0, |
| 806 | entry0 + size, | 809 | entry0 + size, |
| 807 | hook_entries, underflows, &i); | 810 | hook_entries, underflows, valid_hooks, &i); |
| 808 | if (ret != 0) | 811 | if (ret != 0) |
| 809 | return ret; | 812 | return ret; |
| 810 | 813 | ||