On Friday 2009-02-13 14:03, Evgeniy Polyakov wrote:
>> >What's this? It does not exist in the net/ipv4/netfilter/Kconfig
>>
>> net/netfilter/Kconfig: (e.g.)
>>
>> config NETFILTER_XT_MATCH_COMMENT
>> tristate '"comment" match support'
>> depends on NETFILTER_ADVANCED
>> ---help---
>
>But I placed OSF into net/ipv4/netfilter/ipt_osf.c, should it be moved
>into different location?
That would be preferable -> net/netfilter/xt_osf.c.
>> >> >+ case OSFOPT_MSS:
>> >> >+ mss = ntohs(*(u16 *)(optp + 2));
>> >>
>> >> This needs get_unaligned(), in case someone sends a malicious packet.
>> >
>> >Hmmm, why is this needed? We dereference linear kernel pointer at
>> >proper offset (modulo of the option size).
>>
>> What if optp is odd?
>
>It cant, header is fixed and every option length is also fixed (and its
>size is checked).
This RFC-compliant ("An option may begin on any octet boundary.")
option byte stream seems to produce an odd optp value:
01 02 04 05 a0 00
or where did I go wrong?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
