aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv6/netfilter/ip6_tables.c
diff options
context:
space:
mode:
authorJan Engelhardt <jengelh@medozas.de>2009-07-18 14:52:58 +0200
committerJan Engelhardt <jengelh@medozas.de>2009-08-10 13:35:28 +0200
commita7d51738e757c1ab94595e7d05594c61f0fb32ce (patch)
treeaf862be9cb71bf2ef66cd7fb72ed582428ccbc1d /net/ipv6/netfilter/ip6_tables.c
parent47901dc2c4a3f1f9af453486a005d31fe9b393f0 (diff)
downloadmrst-s0i3-test-a7d51738e757c1ab94595e7d05594c61f0fb32ce.tar.gz
mrst-s0i3-test-a7d51738e757c1ab94595e7d05594c61f0fb32ce.tar.xz
mrst-s0i3-test-a7d51738e757c1ab94595e7d05594c61f0fb32ce.zip
netfilter: xtables: ignore unassigned hooks in check_entry_size_and_hooks
The "hook_entry" and "underflow" array contains values even for hooks not provided, such as PREROUTING in conjunction with the "filter" table. Usually, the values point to whatever the next rule is. For the upcoming unconditionality and underflow checking patches however, we must not inspect that arbitrary rule. Skipping unassigned hooks seems like a good idea, also because newinfo->hook_entry and newinfo->underflow will then continue to have the poison value for detecting abnormalities. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Diffstat (limited to 'net/ipv6/netfilter/ip6_tables.c')
-rw-r--r--net/ipv6/netfilter/ip6_tables.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 1389ad904bc..8e4921a937f 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -747,6 +747,7 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
unsigned char *limit,
const unsigned int *hook_entries,
const unsigned int *underflows,
+ unsigned int valid_hooks,
unsigned int *i)
{
unsigned int h;
@@ -766,6 +767,8 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
/* Check hooks & underflows */
for (h = 0; h < NF_INET_NUMHOOKS; h++) {
+ if (!(valid_hooks & (1 << h)))
+ continue;
if ((unsigned char *)e - base == hook_entries[h])
newinfo->hook_entry[h] = hook_entries[h];
if ((unsigned char *)e - base == underflows[h])
@@ -837,7 +840,7 @@ translate_table(const char *name,
newinfo,
entry0,
entry0 + size,
- hook_entries, underflows, &i);
+ hook_entries, underflows, valid_hooks, &i);
if (ret != 0)
return ret;