diff options
Diffstat (limited to 'net')
| -rw-r--r-- | net/ipv4/netfilter/arp_tables.c | 5 | ||||
| -rw-r--r-- | net/ipv4/netfilter/ip_tables.c | 5 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6_tables.c | 5 |
3 files changed, 12 insertions, 3 deletions
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index b9f7243f4220..d91f0834d572 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c | |||
| @@ -539,6 +539,7 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e, | |||
| 539 | unsigned char *limit, | 539 | unsigned char *limit, |
| 540 | const unsigned int *hook_entries, | 540 | const unsigned int *hook_entries, |
| 541 | const unsigned int *underflows, | 541 | const unsigned int *underflows, |
| 542 | unsigned int valid_hooks, | ||
| 542 | unsigned int *i) | 543 | unsigned int *i) |
| 543 | { | 544 | { |
| 544 | unsigned int h; | 545 | unsigned int h; |
| @@ -558,6 +559,8 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e, | |||
| 558 | 559 | ||
| 559 | /* Check hooks & underflows */ | 560 | /* Check hooks & underflows */ |
| 560 | for (h = 0; h < NF_ARP_NUMHOOKS; h++) { | 561 | for (h = 0; h < NF_ARP_NUMHOOKS; h++) { |
| 562 | if (!(valid_hooks & (1 << h))) | ||
| 563 | continue; | ||
| 561 | if ((unsigned char *)e - base == hook_entries[h]) | 564 | if ((unsigned char *)e - base == hook_entries[h]) |
| 562 | newinfo->hook_entry[h] = hook_entries[h]; | 565 | newinfo->hook_entry[h] = hook_entries[h]; |
| 563 | if ((unsigned char *)e - base == underflows[h]) | 566 | if ((unsigned char *)e - base == underflows[h]) |
| @@ -626,7 +629,7 @@ static int translate_table(const char *name, | |||
| 626 | newinfo, | 629 | newinfo, |
| 627 | entry0, | 630 | entry0, |
| 628 | entry0 + size, | 631 | entry0 + size, |
| 629 | hook_entries, underflows, &i); | 632 | hook_entries, underflows, valid_hooks, &i); |
| 630 | duprintf("translate_table: ARPT_ENTRY_ITERATE gives %d\n", ret); | 633 | duprintf("translate_table: ARPT_ENTRY_ITERATE gives %d\n", ret); |
| 631 | if (ret != 0) | 634 | if (ret != 0) |
| 632 | return ret; | 635 | return ret; |
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index 3431a771ff1f..6e7b7e8b80b1 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c | |||
| @@ -714,6 +714,7 @@ check_entry_size_and_hooks(struct ipt_entry *e, | |||
| 714 | unsigned char *limit, | 714 | unsigned char *limit, |
| 715 | const unsigned int *hook_entries, | 715 | const unsigned int *hook_entries, |
| 716 | const unsigned int *underflows, | 716 | const unsigned int *underflows, |
| 717 | unsigned int valid_hooks, | ||
| 717 | unsigned int *i) | 718 | unsigned int *i) |
| 718 | { | 719 | { |
| 719 | unsigned int h; | 720 | unsigned int h; |
| @@ -733,6 +734,8 @@ check_entry_size_and_hooks(struct ipt_entry *e, | |||
| 733 | 734 | ||
| 734 | /* Check hooks & underflows */ | 735 | /* Check hooks & underflows */ |
| 735 | for (h = 0; h < NF_INET_NUMHOOKS; h++) { | 736 | for (h = 0; h < NF_INET_NUMHOOKS; h++) { |
| 737 | if (!(valid_hooks & (1 << h))) | ||
| 738 | continue; | ||
| 736 | if ((unsigned char *)e - base == hook_entries[h]) | 739 | if ((unsigned char *)e - base == hook_entries[h]) |
| 737 | newinfo->hook_entry[h] = hook_entries[h]; | 740 | newinfo->hook_entry[h] = hook_entries[h]; |
| 738 | if ((unsigned char *)e - base == underflows[h]) | 741 | if ((unsigned char *)e - base == underflows[h]) |
| @@ -804,7 +807,7 @@ translate_table(const char *name, | |||
| 804 | newinfo, | 807 | newinfo, |
| 805 | entry0, | 808 | entry0, |
| 806 | entry0 + size, | 809 | entry0 + size, |
| 807 | hook_entries, underflows, &i); | 810 | hook_entries, underflows, valid_hooks, &i); |
| 808 | if (ret != 0) | 811 | if (ret != 0) |
| 809 | return ret; | 812 | return ret; |
| 810 | 813 | ||
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index 1389ad904bc3..8e4921a937ff 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c | |||
| @@ -747,6 +747,7 @@ check_entry_size_and_hooks(struct ip6t_entry *e, | |||
| 747 | unsigned char *limit, | 747 | unsigned char *limit, |
| 748 | const unsigned int *hook_entries, | 748 | const unsigned int *hook_entries, |
| 749 | const unsigned int *underflows, | 749 | const unsigned int *underflows, |
| 750 | unsigned int valid_hooks, | ||
| 750 | unsigned int *i) | 751 | unsigned int *i) |
| 751 | { | 752 | { |
| 752 | unsigned int h; | 753 | unsigned int h; |
| @@ -766,6 +767,8 @@ check_entry_size_and_hooks(struct ip6t_entry *e, | |||
| 766 | 767 | ||
| 767 | /* Check hooks & underflows */ | 768 | /* Check hooks & underflows */ |
| 768 | for (h = 0; h < NF_INET_NUMHOOKS; h++) { | 769 | for (h = 0; h < NF_INET_NUMHOOKS; h++) { |
| 770 | if (!(valid_hooks & (1 << h))) | ||
| 771 | continue; | ||
| 769 | if ((unsigned char *)e - base == hook_entries[h]) | 772 | if ((unsigned char *)e - base == hook_entries[h]) |
| 770 | newinfo->hook_entry[h] = hook_entries[h]; | 773 | newinfo->hook_entry[h] = hook_entries[h]; |
| 771 | if ((unsigned char *)e - base == underflows[h]) | 774 | if ((unsigned char *)e - base == underflows[h]) |
| @@ -837,7 +840,7 @@ translate_table(const char *name, | |||
| 837 | newinfo, | 840 | newinfo, |
| 838 | entry0, | 841 | entry0, |
| 839 | entry0 + size, | 842 | entry0 + size, |
| 840 | hook_entries, underflows, &i); | 843 | hook_entries, underflows, valid_hooks, &i); |
| 841 | if (ret != 0) | 844 | if (ret != 0) |
| 842 | return ret; | 845 | return ret; |
| 843 | 846 | ||