[PATCH] netfilter: arp_tables: fix invoking 32bit "iptable -P INPUT ACCEPT" failed in 64bit kernel

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] netfilter: arp_tables: fix invoking 32bit "iptable -P INPUT ACCEPT" failed in 64bit kernel
@ 2016-11-30  2:56 Hongxu Jia
  2016-11-30 11:53 ` Florian Westphal
  0 siblings, 1 reply; 3+ messages in thread
From: Hongxu Jia @ 2016-11-30  2:56 UTC (permalink / raw)
  To: fw, pablo; +Cc: netfilter-devel

Since the following commit applied in kernel (https://git.kernel.org/cgit/
linux/kernel/git/torvalds/linux.git/commit/?id=09d9686047dbbe1cf4faa558d3ecc4aae2046054)
--------------------------------------
commit 09d9686047dbbe1cf4faa558d3ecc4aae2046054
Author: Florian Westphal <fw@strlen.de>
Date:   Fri Apr 1 14:17:34 2016 +0200

    netfilter: x_tables: do compat validation via translate_table
--------------------------------------
It used compatr structure to assign newinfo structure.
In translate_compat_table of ip_tables.c and ip6_tables.c, it used
compatr->hook_entry to replace info->hook_entry and
compatr->underflow to replace info->underflow, but not do the same
replacement in arp_tables.c.

It caused invoking 32-bit "arptbale -P INPUT ACCEPT" failed in 64bit kernel.
--------------------------------------
root@qemux86-64:~# arptables -P INPUT ACCEPT
root@qemux86-64:~# arptables -P INPUT ACCEPT
ERROR: Policy for `INPUT' offset 448 != underflow 0
arptables: Incompatible with this kernel
--------------------------------------

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
 net/ipv4/netfilter/arp_tables.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index b31df59..6975384 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1201,8 +1201,8 @@ static int translate_compat_table(struct xt_table_info **pinfo,
 
 	newinfo->number = compatr->num_entries;
 	for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
-		newinfo->hook_entry[i] = info->hook_entry[i];
-		newinfo->underflow[i] = info->underflow[i];
+		newinfo->hook_entry[i] = compatr->hook_entry[i];
+		newinfo->underflow[i] = compatr->underflow[i];
 	}
 	entry1 = newinfo->entries;
 	pos = entry1;
-- 
2.8.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] netfilter: arp_tables: fix invoking 32bit "iptable -P INPUT ACCEPT" failed in 64bit kernel
  2016-11-30  2:56 [PATCH] netfilter: arp_tables: fix invoking 32bit "iptable -P INPUT ACCEPT" failed in 64bit kernel Hongxu Jia
@ 2016-11-30 11:53 ` Florian Westphal
  2016-11-30 18:32   ` Pablo Neira Ayuso
  0 siblings, 1 reply; 3+ messages in thread
From: Florian Westphal @ 2016-11-30 11:53 UTC (permalink / raw)
  To: Hongxu Jia; +Cc: fw, pablo, netfilter-devel

Hongxu Jia <hongxu.jia@windriver.com> wrote:
> Since the following commit applied in kernel (https://git.kernel.org/cgit/
> linux/kernel/git/torvalds/linux.git/commit/?id=09d9686047dbbe1cf4faa558d3ecc4aae2046054)
> --------------------------------------
> commit 09d9686047dbbe1cf4faa558d3ecc4aae2046054
> Author: Florian Westphal <fw@strlen.de>
> Date:   Fri Apr 1 14:17:34 2016 +0200
> 
>     netfilter: x_tables: do compat validation via translate_table
> --------------------------------------
> It used compatr structure to assign newinfo structure.
> In translate_compat_table of ip_tables.c and ip6_tables.c, it used
> compatr->hook_entry to replace info->hook_entry and
> compatr->underflow to replace info->underflow, but not do the same
> replacement in arp_tables.c.

Right, thanks for fixing this:

Acked-by: Florian Westphal <fw@strlen.de>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] netfilter: arp_tables: fix invoking 32bit "iptable -P INPUT ACCEPT" failed in 64bit kernel
  2016-11-30 11:53 ` Florian Westphal
@ 2016-11-30 18:32   ` Pablo Neira Ayuso
  0 siblings, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2016-11-30 18:32 UTC (permalink / raw)
  To: Florian Westphal; +Cc: Hongxu Jia, netfilter-devel

On Wed, Nov 30, 2016 at 12:53:07PM +0100, Florian Westphal wrote:
> Hongxu Jia <hongxu.jia@windriver.com> wrote:
> > Since the following commit applied in kernel (https://git.kernel.org/cgit/
> > linux/kernel/git/torvalds/linux.git/commit/?id=09d9686047dbbe1cf4faa558d3ecc4aae2046054)
> > --------------------------------------
> > commit 09d9686047dbbe1cf4faa558d3ecc4aae2046054
> > Author: Florian Westphal <fw@strlen.de>
> > Date:   Fri Apr 1 14:17:34 2016 +0200
> > 
> >     netfilter: x_tables: do compat validation via translate_table
> > --------------------------------------
> > It used compatr structure to assign newinfo structure.
> > In translate_compat_table of ip_tables.c and ip6_tables.c, it used
> > compatr->hook_entry to replace info->hook_entry and
> > compatr->underflow to replace info->underflow, but not do the same
> > replacement in arp_tables.c.
> 
> Right, thanks for fixing this:
> 
> Acked-by: Florian Westphal <fw@strlen.de>

Applied, thanks everyone.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2016-11-30 18:41 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-11-30  2:56 [PATCH] netfilter: arp_tables: fix invoking 32bit "iptable -P INPUT ACCEPT" failed in 64bit kernel Hongxu Jia
2016-11-30 11:53 ` Florian Westphal
2016-11-30 18:32   ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).