On Sat, Sep 17, 2016 at 02:31:20PM +0800, Liping Zhang wrote: > From: Liping Zhang <liping.zhang@xxxxxxxxxxxxxx> > > pkt->xt.thoff is not always set properly, but we use it without any check. > For payload expr, it will cause wrong results. For nftrace, we may notify > the wrong network or transport header to the user space, furthermore, > input the following nft rules, warning message will be printed out: > # nft add rule arp filter output meta nftrace set 1 > > WARNING: CPU: 0 PID: 13428 at net/netfilter/nf_tables_trace.c:263 > nft_trace_notify+0x4a3/0x5e0 [nf_tables] > Call Trace: > [<ffffffff813d58ae>] dump_stack+0x63/0x85 > [<ffffffff810a4c0b>] __warn+0xcb/0xf0 > [<ffffffff810a4d3d>] warn_slowpath_null+0x1d/0x20 > [<ffffffffa0589703>] nft_trace_notify+0x4a3/0x5e0 [nf_tables] > [ ... ] > [<ffffffffa05690a8>] nft_do_chain_arp+0x78/0x90 [nf_tables_arp] > [<ffffffff816f4aa2>] nf_iterate+0x62/0x80 > [<ffffffff816f4b33>] nf_hook_slow+0x73/0xd0 > [<ffffffff81732bbf>] arp_xmit+0x8f/0xb0 > [ ... ] > [<ffffffff81732d36>] arp_solicit+0x106/0x2c0 > > So before we use pkt->xt.thoff, check the tprot_set first. Applied, thanks a lot. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
