Attachment 310838 Details for Bug 453814 – xt_table_info diet for rhel5

[patch] xt_table_info diet for rhel5

xt_table_info-diet-rhel5.patch (text/plain), 5.12 KB, created by Bryn M. Reeves on 2008-07-02 18:31:24 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Bryn M. Reeves

Created: 2008-07-02 18:31:24 UTC

Size: 5.12 KB

patch

obsolete

>diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
>index 48cc32d..90aec27 100644
>--- a/include/linux/netfilter/x_tables.h
>+++ b/include/linux/netfilter/x_tables.h
>@@ -285,9 +285,12 @@ struct xt_table_info
> 	unsigned int underflow[NF_IP_NUMHOOKS];
> 
> 	/* ipt_entry tables: one per CPU */
>-	char *entries[NR_CPUS];
>+	/* Note : this field MUST be the last one, see XT_TABLE_INFO_SZ */
>+	char *entries[1];
> };
> 
>+#define XT_TABLE_INFO_SZ (offsetof(struct xt_table_info, entries) \
>+			 + nr_cpu_ids * sizeof(char *))
> extern int xt_register_target(struct xt_target *target);
> extern void xt_unregister_target(struct xt_target *target);
> extern int xt_register_match(struct xt_match *target);
>diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
>index 8d1d7a6..b12f08b 100644
>--- a/net/ipv4/netfilter/arp_tables.c
>+++ b/net/ipv4/netfilter/arp_tables.c
>@@ -815,8 +815,7 @@ static int do_replace(void __user *user, unsigned int len)
> 		return -ENOPROTOOPT;
> 
> 	/* overflow check */
>-	if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
>-			SMP_CACHE_BYTES)
>+	if (tmp.size >= INT_MAX / num_possible_cpus())
> 		return -ENOMEM;
> 	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
> 		return -ENOMEM;
>@@ -1094,7 +1093,7 @@ int arpt_register_table(struct arpt_table *table,
> {
> 	int ret;
> 	struct xt_table_info *newinfo;
>-	static struct xt_table_info bootstrap
>+	struct xt_table_info bootstrap
> 		= { 0, 0, 0, { 0 }, { 0 }, { } };
> 	void *loc_cpu_entry;
> 
>diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
>index 048514f..bcfbd70 100644
>--- a/net/ipv4/netfilter/ip_tables.c
>+++ b/net/ipv4/netfilter/ip_tables.c
>@@ -1020,7 +1020,8 @@ compat_calc_match(struct ipt_entry_match *m, int * size)
> 	return 0;
> }
> 
>-static int compat_calc_entry(struct ipt_entry *e, struct xt_table_info *info,
>+static int compat_calc_entry(struct ipt_entry *e,
>+		const struct xt_table_info *info,
> 		void *base, struct xt_table_info *newinfo)
> {
> 	struct ipt_entry_target *t;
>@@ -1051,22 +1052,17 @@ static int compat_calc_entry(struct ipt_entry *e, struct xt_table_info *info,
> 	return 0;
> }
> 
>-static int compat_table_info(struct xt_table_info *info,
>+static int compat_table_info(const struct xt_table_info *info,
> 		struct xt_table_info *newinfo)
> {
> 	void *loc_cpu_entry;
>-	int i;
> 
> 	if (!newinfo || !info)
> 		return -EINVAL;
> 
>-	memset(newinfo, 0, sizeof(struct xt_table_info));
>-	newinfo->size = info->size;
>-	newinfo->number = info->number;
>-	for (i = 0; i < NF_IP_NUMHOOKS; i++) {
>-		newinfo->hook_entry[i] = info->hook_entry[i];
>-		newinfo->underflow[i] = info->underflow[i];
>-	}
>+	/* we dont care about newinfo->entries[] */
>+	memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
>+	newinfo->initial_entries = 0;
> 	loc_cpu_entry = info->entries[raw_smp_processor_id()];
> 	return IPT_ENTRY_ITERATE(loc_cpu_entry, info->size,
> 			compat_calc_entry, info, loc_cpu_entry, newinfo);
>@@ -1260,8 +1256,7 @@ do_replace(void __user *user, unsigned int len)
> 		return -ENOPROTOOPT;
> 
> 	/* overflow check */
>-	if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
>-			SMP_CACHE_BYTES)
>+	if (tmp.size >= INT_MAX / num_possible_cpus())
> 		return -ENOMEM;
> 	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
> 		return -ENOMEM;
>@@ -1795,8 +1790,7 @@ compat_do_replace(void __user *user, unsigned int len)
> 		return -ENOPROTOOPT;
> 
> 	/* overflow check */
>-	if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
>-			SMP_CACHE_BYTES)
>+	if (tmp.size >= INT_MAX / num_possible_cpus())
> 		return -ENOMEM;
> 	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
> 		return -ENOMEM;
>@@ -2089,7 +2083,7 @@ int ipt_register_table(struct xt_table *table, const struct ipt_replace *repl)
> {
> 	int ret;
> 	struct xt_table_info *newinfo;
>-	static struct xt_table_info bootstrap
>+	struct xt_table_info bootstrap
> 		= { 0, 0, 0, { 0 }, { 0 }, { } };
> 	void *loc_cpu_entry;
> 
>diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
>index 49a6f08..4af537c 100644
>--- a/net/ipv6/netfilter/ip6_tables.c
>+++ b/net/ipv6/netfilter/ip6_tables.c
>@@ -964,8 +964,7 @@ do_replace(void __user *user, unsigned int len)
> 		return -EFAULT;
> 
> 	/* overflow check */
>-	if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
>-			SMP_CACHE_BYTES)
>+	if (tmp.size >= INT_MAX / num_possible_cpus())
> 		return -ENOMEM;
> 	if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
> 		return -ENOMEM;
>@@ -1261,7 +1260,7 @@ int ip6t_register_table(struct xt_table *table,
> {
> 	int ret;
> 	struct xt_table_info *newinfo;
>-	static struct xt_table_info bootstrap
>+	struct xt_table_info bootstrap
> 		= { 0, 0, 0, { 0 }, { 0 }, { } };
> 	void *loc_cpu_entry;
> 
>diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
>index 174e8f9..024aa6d 100644
>--- a/net/netfilter/x_tables.c
>+++ b/net/netfilter/x_tables.c
>@@ -406,7 +406,7 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size)
> 	if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > num_physpages)
> 		return NULL;
> 
>-	newinfo = kzalloc(sizeof(struct xt_table_info), GFP_KERNEL);
>+	newinfo = kzalloc(XT_TABLE_INFO_SZ, GFP_KERNEL);
> 	if (!newinfo)
> 		return NULL;
>

Actions: View | Diff

Attachments on bug 453814: 310838