On Sun, Dec 30, 2012 at 02:28:51PM +0800, akong@xxxxxxxxxx wrote:
> From: Amos Kong <akong@xxxxxxxxxx>
>
> 4096 is not a valid vlan id.
>
> Signed-off-by: Amos Kong <akong@xxxxxxxxxx>
> ---
> net/bridge/netfilter/ebt_vlan.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/bridge/netfilter/ebt_vlan.c b/net/bridge/netfilter/ebt_vlan.c
> index eae67bf..b279ec0 100644
> --- a/net/bridge/netfilter/ebt_vlan.c
> +++ b/net/bridge/netfilter/ebt_vlan.c
> @@ -121,8 +121,8 @@ static int ebt_vlan_mt_check(const struct xt_mtchk_param *par)
> * if_vlan.h: VLAN_N_VID 4096. */
> if (GET_BITMASK(EBT_VLAN_ID)) {
> if (!!info->id) { /* if id!=0 => check vid range */
> - if (info->id > VLAN_N_VID) {
> - pr_debug("id %d is out of range (1-4096)\n",
> + if (info->id >= VLAN_N_VID) {
> + pr_debug("id %d is out of range (1-4095)\n",
Someone may forge frames including reserved VLAN ids.
People can use ebtables to drop invalid frames, this is a firewalling
utility after all ;-). I'm not taking these, sorry.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
