diff options
author | Florian Westphal <fw@strlen.de> | 2016-04-01 15:17:22 +0300 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-04-14 01:30:35 +0300 |
commit | 36472341017529e2b12573093cc0f68719300997 (patch) | |
tree | 96f6dd9fbfcddc5e3a934d4dd812d640574897d0 /net/ipv6/fib6_rules.c | |
parent | f24e230d257af1ad7476c6e81a8dc3127a74204e (diff) | |
download | linux-36472341017529e2b12573093cc0f68719300997.tar.xz |
netfilter: x_tables: validate targets of jumps
When we see a jump also check that the offset gets us to beginning of
a rule (an ipt_entry).
The extra overhead is negible, even with absurd cases.
300k custom rules, 300k jumps to 'next' user chain:
[ plus one jump from INPUT to first userchain ]:
Before:
real 0m24.874s
user 0m7.532s
sys 0m16.076s
After:
real 0m27.464s
user 0m7.436s
sys 0m18.840s
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/ipv6/fib6_rules.c')
0 files changed, 0 insertions, 0 deletions