diff options
| author | Florian Westphal <fw@strlen.de> | 2016-04-01 14:17:22 +0200 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2016-11-20 01:16:53 +0000 |
| commit | f05615752178e6bac752c16f6a3380302cadfcd6 (patch) | |
| tree | e0e2272c515f876a132f4af07b811c0c7e2c8ed7 /include/linux | |
| parent | a6889df5406276eefa252cace97d3d2e5c48af05 (diff) | |
netfilter: x_tables: validate targets of jumps
commit 36472341017529e2b12573093cc0f68719300997 upstream.
When we see a jump also check that the offset gets us to beginning of
a rule (an ipt_entry).
The extra overhead is negible, even with absurd cases.
300k custom rules, 300k jumps to 'next' user chain:
[ plus one jump from INPUT to first userchain ]:
Before:
real 0m24.874s
user 0m7.532s
sys 0m16.076s
After:
real 0m27.464s
user 0m7.436s
sys 0m18.840s
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'include/linux')
0 files changed, 0 insertions, 0 deletions
