On Tue, Mar 21, 2017 at 11:32:08AM +0100, Pablo Neira Ayuso wrote: > On Sun, Mar 19, 2017 at 10:36:01PM +0800, Liping Zhang wrote: > > From: Liping Zhang <zlpnobody@xxxxxxxxx> > > > > When invoke nfnl_cthelper_update, we will malloc a new expect_policy, > > then only point the helper->expect_policy to the new one but ignore > > the old one, so it will be leaked forever. > > > > Another issue is that the user can modify the expect_class_max to a > > new value, for example, decrease the expect_class_max from 3 to 0. > > If the code is allowing this, we should fix it since this is not > valid. We cannot change the number of classes once the helper has been > created. > > Users may update the maximum number of expectations and its timeout > per policy, but not the number of classes once this has been created. Just sent a patch to sort out this. You can rebase on top of nf.git as soon as I get those patches pushed out, will wait a bit to wait for review and give it some testing here. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
