On Sun, Apr 16, 2017 at 01:29:13AM +0200, Florian Westphal wrote: > 3 years ago we had to bump the offsets to the extensions > (223b02d923ecd7c84cf9780bb3686f455d279279, > "netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len") > because total size of all extensions had increased to a point where u8 > did overflow. > > We already dieted the extensions back to more reasonable sizes, however, > I never wanted to switch back because overflow produces hard to diagnose > crash bugs, and we could not add compile-time assert because extensions > can be dynamically sized. > > This series makes the last veriable-sized extension (helper) > fixed in size by adding a 32byte scratch area for helpers to use > and then adds the compile-time asserts to catch overflow during build > time. Series applied. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
