linux-hardened/include/linux/netfilter
Patrick McHardy 46c5ea3c9a [NETFILTER] x_tables: fix compat related crash on non-x86
When iptables userspace adds an ipt_standard_target, it calculates the size
of the entire entry as:

sizeof(struct ipt_entry) + XT_ALIGN(sizeof(struct ipt_standard_target))

ipt_standard_target looks like this:

  struct xt_standard_target
  {
        struct xt_entry_target target;
        int verdict;
  };

xt_entry_target contains a pointer, so when compiled for 64 bit the
structure gets an extra 4 byte of padding at the end. On 32 bit
architectures where iptables aligns to 8 byte it will also have 4
byte padding at the end because it is only 36 bytes large.

The compat_ipt_standard_fn in the kernel adjusts the offsets by

  sizeof(struct ipt_standard_target) - sizeof(struct compat_ipt_standard_target),

which will always result in 4, even if the structure from userspace
was already padded to a multiple of 8. On x86 this works out by
accident because userspace only aligns to 4, on all other
architectures this is broken and causes incorrect adjustments to
the size and following offsets.

Thanks to Linus for lots of debugging help and testing.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-05-01 20:48:32 -07:00
..
nf_conntrack_common.h [NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables 2006-01-12 14:06:43 -08:00
nf_conntrack_ftp.h [NETFILTER]: Add nf_conntrack subsystem. 2005-11-09 16:38:16 -08:00
nf_conntrack_sctp.h [NETFILTER]: Add nf_conntrack subsystem. 2005-11-09 16:38:16 -08:00
nf_conntrack_tcp.h [NETFILTER]: Add nf_conntrack subsystem. 2005-11-09 16:38:16 -08:00
nf_conntrack_tuple_common.h [NETFILTER]: Add nf_conntrack subsystem. 2005-11-09 16:38:16 -08:00
nfnetlink.h [NETFILTER]: ctnetlink: avoid unneccessary event message generation 2006-03-20 18:03:59 -08:00
nfnetlink_conntrack.h [NETFILTER]: ctnetlink: Fix dumping of helper name 2006-01-05 12:20:02 -08:00
nfnetlink_log.h [NETFILTER] nfnetlink_log: add sequence numbers for log events 2006-03-20 17:15:11 -08:00
nfnetlink_queue.h [NETFILTER]: introduce and use aligned_u64 data type 2005-08-29 15:57:59 -07:00
x_tables.h [NETFILTER] x_tables: fix compat related crash on non-x86 2006-05-01 20:48:32 -07:00
xt_CLASSIFY.h [NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables 2006-01-12 14:06:43 -08:00
xt_comment.h [NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables 2006-01-12 14:06:43 -08:00
xt_connbytes.h [NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables 2006-01-12 14:06:43 -08:00
xt_connmark.h [NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables 2006-01-12 14:06:43 -08:00
xt_CONNMARK.h [NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables 2006-01-12 14:06:43 -08:00
xt_conntrack.h [NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables 2006-01-12 14:06:43 -08:00
xt_dccp.h [NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables 2006-01-12 14:06:43 -08:00
xt_esp.h [NETFILTER]: x_tables: unify IPv4/IPv6 esp match 2006-04-01 02:22:30 -08:00
xt_helper.h [NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables 2006-01-12 14:06:43 -08:00
xt_length.h [NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables 2006-01-12 14:06:43 -08:00
xt_limit.h [NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables 2006-01-12 14:06:43 -08:00
xt_mac.h [NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables 2006-01-12 14:06:43 -08:00
xt_mark.h [NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables 2006-01-12 14:06:43 -08:00
xt_MARK.h [NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables 2006-01-12 14:06:43 -08:00
xt_multiport.h [NETFILTER]: x_tables: unify IPv4/IPv6 multiport match 2006-04-01 02:22:54 -08:00
xt_NFQUEUE.h [NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables 2006-01-12 14:06:43 -08:00
xt_physdev.h [NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables 2006-01-12 14:06:43 -08:00
xt_pkttype.h [NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables 2006-01-12 14:06:43 -08:00
xt_policy.h [NETFILTER]: x_tables: replace IPv4/IPv6 policy match by address family independant version 2006-03-20 18:03:40 -08:00
xt_realm.h [NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables 2006-01-12 14:06:43 -08:00
xt_sctp.h [NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables 2006-01-12 14:06:43 -08:00
xt_state.h [NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables 2006-01-12 14:06:43 -08:00
xt_string.h [NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables 2006-01-12 14:06:43 -08:00
xt_tcpmss.h [NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables 2006-01-12 14:06:43 -08:00
xt_tcpudp.h [NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables 2006-01-12 14:06:43 -08:00