On Wed, Feb 07, 2018 at 01:46:25PM +0100, Florian Westphal wrote: > The rationale for removing the check is only correct for rulesets > generated by ip(6)tables. > > In iptables, a jump can only occur to a user-defined chain, i.e. > because we size the stack based on number of user-defined chains we > cannot exceed stack size. > > However, the underlying binary format has no such restriction, > and the validation step only ensures that the jump target is a > valid rule start point. > > IOW, its possible to build a rule blob that has no user-defined > chains but does contain a jump. > > If this happens, no jump stack gets allocated and crash occurs > because no jumpstack was allocated. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
