From: pablo@netfilter.org
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 1/7] netfilter: xt_hashlimit: use _ALL macro to reject unknown flag bits
Date: Thu, 17 May 2012 01:06:38 +0200 [thread overview]
Message-ID: <1337209604-3412-2-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1337209604-3412-1-git-send-email-pablo@netfilter.org>
From: Florian Westphal <fw@strlen.de>
David Miller says:
The canonical way to validate if the set bits are in a valid
range is to have a "_ALL" macro, and test:
if (val & ~XT_HASHLIMIT_ALL)
goto err;"
make it so.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/linux/netfilter/xt_hashlimit.h | 6 ++++--
net/netfilter/xt_hashlimit.c | 2 +-
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/include/linux/netfilter/xt_hashlimit.h b/include/linux/netfilter/xt_hashlimit.h
index 05fe799..c42e52f 100644
--- a/include/linux/netfilter/xt_hashlimit.h
+++ b/include/linux/netfilter/xt_hashlimit.h
@@ -22,10 +22,12 @@ enum {
XT_HASHLIMIT_HASH_SPT = 1 << 3,
XT_HASHLIMIT_INVERT = 1 << 4,
XT_HASHLIMIT_BYTES = 1 << 5,
+};
#ifdef __KERNEL__
- XT_HASHLIMIT_MAX = 1 << 6,
+#define XT_HASHLIMIT_ALL (XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT | \
+ XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT | \
+ XT_HASHLIMIT_INVERT | XT_HASHLIMIT_BYTES)
#endif
-};
struct hashlimit_cfg {
__u32 mode; /* bitmask of XT_HASHLIMIT_HASH_* */
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 5d5af1d..26a668a 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -647,7 +647,7 @@ static int hashlimit_mt_check(const struct xt_mtchk_param *par)
return -EINVAL;
}
- if (info->cfg.mode >= XT_HASHLIMIT_MAX) {
+ if (info->cfg.mode & ~XT_HASHLIMIT_ALL) {
pr_info("Unknown mode mask %X, kernel too old?\n",
info->cfg.mode);
return -EINVAL;
--
1.7.10
next prev parent reply other threads:[~2012-05-16 23:07 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-16 23:06 [PATCH 0/7] netfilter updates for net-next (batch 3) pablo
2012-05-16 23:06 ` pablo [this message]
2012-05-16 23:06 ` [PATCH 2/7] netfilter: xt_HMARK: potential NULL dereference in get_inner_hdr() pablo
2012-05-16 23:06 ` [PATCH 3/7] netfilter: xt_HMARK: modulus is expensive for hash calculation pablo
2012-05-17 8:16 ` David Laight
2012-05-17 8:39 ` Eric Dumazet
2012-05-17 14:55 ` Pablo Neira Ayuso
2012-05-16 23:06 ` [PATCH 4/7] netfilter: nf_ct_tcp: extend log message for invalid ignored packets pablo
2012-05-16 23:06 ` [PATCH 5/7] netfilter: ipset: fix timeout value overflow bug pablo
2012-05-16 23:06 ` [PATCH 6/7] netfilter: xt_CT: remove redundant header include pablo
2012-05-16 23:06 ` [PATCH 7/7] netfilter: nf_ct_h323: fix usage of MODULE_ALIAS_NFCT_HELPER pablo
2012-05-17 0:00 ` [PATCH 0/7] netfilter updates for net-next (batch 3) David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1337209604-3412-2-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.