From: Patrick McHardy <kaber@trash.net>
To: Michael Rash <mbr@cipherdyne.org>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: [PATCH] --log-ip-options broken in 2.4
Date: Fri, 04 Mar 2005 11:39:10 +0100 [thread overview]
Message-ID: <42283ACE.1080006@trash.net> (raw)
In-Reply-To: <20050129070423.GA25755@orthanc.gambrl01.md.comcast.net>
[-- Attachment #1: Type: text/plain, Size: 588 bytes --]
Michael Rash wrote:
> It looks like --log-ip-options is broken in 2.4, i.e. the OPT field
> never appears in Netfilter logs even when packets contain IP options.
> I have attached a small patch that fixes this. It removes the
> "iph->ihl * 4 >= datalen" condition, which rarely happens ("ping -T
> tsonly -s 1 <host>" will trigger it for example). The resulting code is
> analogous to the code in the 2.6 kernel.
In 2.6 the size of the area is verfied by skb_header_pointer, we
need to do this manually in 2.4. I'm going to submit the attached
patch for this problem.
Regards
Patrick
[-- Attachment #2: 08.diff --]
[-- Type: text/x-patch, Size: 1277 bytes --]
# This is a BitKeeper generated diff -Nru style patch.
#
# ChangeSet
# 2005/03/04 11:36:23+01:00 kaber@coreworks.de
# [NETFILTER]: Fix IP/TCP option logging
#
# Signed-off-by: Patrick McHardy <kaber@trash.net>
#
# net/ipv4/netfilter/ipt_LOG.c
# 2005/03/04 11:35:42+01:00 kaber@coreworks.de +4 -3
# [NETFILTER]: Fix IP/TCP option logging
#
# Signed-off-by: Patrick McHardy <kaber@trash.net>
#
diff -Nru a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
--- a/net/ipv4/netfilter/ipt_LOG.c 2005-03-04 11:37:01 +01:00
+++ b/net/ipv4/netfilter/ipt_LOG.c 2005-03-04 11:37:01 +01:00
@@ -67,8 +67,8 @@
printk("FRAG:%u ", ntohs(iph->frag_off) & IP_OFFSET);
if ((info->logflags & IPT_LOG_IPOPT)
- && iph->ihl * 4 != sizeof(struct iphdr)
- && iph->ihl * 4 >= datalen) {
+ && iph->ihl * 4 > sizeof(struct iphdr)
+ && iph->ihl * 4 <= len) {
unsigned int i;
/* Max length: 127 "OPT (" 15*4*2chars ") " */
@@ -126,7 +126,8 @@
printk("URGP=%u ", ntohs(tcph->urg_ptr));
if ((info->logflags & IPT_LOG_TCPOPT)
- && tcph->doff * 4 != sizeof(struct tcphdr)) {
+ && tcph->doff * 4 > sizeof(struct tcphdr)
+ && tcph->doff * 4 <= datalen) {
unsigned int i;
/* Max length: 127 "OPT (" 15*4*2chars ") " */
prev parent reply other threads:[~2005-03-04 10:39 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-29 7:04 [PATCH] --log-ip-options broken in 2.4 Michael Rash
2005-03-04 10:39 ` Patrick McHardy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42283ACE.1080006@trash.net \
--to=kaber@trash.net \
--cc=mbr@cipherdyne.org \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.