From: Patrick McHardy <kaber@trash.net>
To: davem@davemloft.net
Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy <kaber@trash.net>
Subject: [NETFILTER 11/14]: Check policy length in policy match strict mode
Date: Fri, 3 Feb 2006 14:44:15 +0100 (MET) [thread overview]
Message-ID: <20060203134415.2141.78756.sendpatchset@localhost.localdomain> (raw)
In-Reply-To: <20060203134358.2141.63426.sendpatchset@localhost.localdomain>
[NETFILTER]: Check policy length in policy match strict mode
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 0140ae42a6acc87e5c63ac8367473670dcffba8e
tree 0145dfe52711bf0e7d503b3d2a2d2ac603d82ad9
parent 9da97b95715756a28bfc1a931f033db6206d7dfd
author Patrick McHardy <kaber@trash.net> Fri, 03 Feb 2006 12:46:53 +0100
committer Patrick McHardy <kaber@trash.net> Fri, 03 Feb 2006 12:46:53 +0100
net/ipv4/netfilter/ipt_policy.c | 2 +-
net/ipv6/netfilter/ip6t_policy.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_policy.c b/net/ipv4/netfilter/ipt_policy.c
index 18ca825..a48949a 100644
--- a/net/ipv4/netfilter/ipt_policy.c
+++ b/net/ipv4/netfilter/ipt_policy.c
@@ -89,7 +89,7 @@ match_policy_out(const struct sk_buff *s
return 0;
}
- return strict ? 1 : 0;
+ return strict ? i == info->len : 0;
}
static int match(const struct sk_buff *skb,
diff --git a/net/ipv6/netfilter/ip6t_policy.c b/net/ipv6/netfilter/ip6t_policy.c
index afe1cc4..9f38cd0 100644
--- a/net/ipv6/netfilter/ip6t_policy.c
+++ b/net/ipv6/netfilter/ip6t_policy.c
@@ -91,7 +91,7 @@ match_policy_out(const struct sk_buff *s
return 0;
}
- return strict ? 1 : 0;
+ return strict ? i == info->len : 0;
}
static int match(const struct sk_buff *skb,
next prev parent reply other threads:[~2006-02-03 13:44 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-02-03 13:43 [00/14]: Netfilter fixes for 2.6.16 Patrick McHardy
2006-02-03 13:43 ` [NETFILTER 01/14]: ctnetlink: Fix subsystem used for expectation events Patrick McHardy
2006-02-03 13:44 ` [NETFILTER 02/14]: ctnetlink: add MODULE_ALIAS for expectation subsystem Patrick McHardy
2006-02-03 13:44 ` [NETFILTER 03/14]: nf_conntrack: check address family when finding protocol module Patrick McHardy
2006-02-03 13:44 ` [NETFILTER 04/14]: ULOG/nfnetlink_log: Use better default value for 'nlbufsiz' Patrick McHardy
2006-02-03 13:44 ` [NETFILTER 05/14]: Fix undersized skb allocation in ipt_ULOG/ebt_ulog/nfnetlink_log Patrick McHardy
2006-02-03 13:44 ` [NETFILTER 06/14]: nfnetlink_queue: fix packet marking over netlink Patrick McHardy
2006-02-03 13:44 ` [NETFILTER 07/14]: Fix missing src port initialization in tftp expectation mask Patrick McHardy
2006-02-03 13:44 ` [NETFILTER 08/14]: iptables: fix typos in ipt_connbytes.h Patrick McHardy
2006-02-03 13:44 ` [NETFILTER 09/14]: nf_conntrack: fix incorrect memset() size in FTP helper Patrick McHardy
2006-02-03 13:44 ` [NETFILTER 10/14]: Fix possible overflow in netfilters do_replace() Patrick McHardy
2006-02-03 13:44 ` Patrick McHardy [this message]
2006-02-03 13:44 ` [NETFILTER 12/14]: Fix ip6t_policy address matching Patrick McHardy
2006-02-03 13:44 ` [NETFILTER 13/14]: Prepare {ipt, ip6t}_policy match for x_tables unification Patrick McHardy
2006-02-03 13:44 ` [NETFILTER 14/14]: Fix check whether dst_entry needs to be released after NAT Patrick McHardy
2006-02-04 10:21 ` [00/14]: Netfilter fixes for 2.6.16 David S. Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060203134415.2141.78756.sendpatchset@localhost.localdomain \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.