#endif
#define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
+static DECLARE_MUTEX(ipt_mutex);
+
/* Must have mutex */
#define ASSERT_READ_LOCK(x) IP_NF_ASSERT(down_trylock(&ipt_mutex) != 0)
#define ASSERT_WRITE_LOCK(x) IP_NF_ASSERT(down_trylock(&ipt_mutex) != 0)
int *hotdrop)
{
/* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */
- u_int8_t opt[60 - sizeof(struct tcphdr)];
+ u_int8_t _opt[60 - sizeof(struct tcphdr)], *op;
unsigned int i;
duprintf("tcp_match: finding option\n");
+
+ if (!optlen)
+ return invert;
+
/* If we don't have the whole header, drop packet. */
- if (skb_copy_bits(skb, skb->nh.iph->ihl*4 + sizeof(struct tcphdr),
- opt, optlen) < 0) {
+ op = skb_header_pointer(skb,
+ skb->nh.iph->ihl*4 + sizeof(struct tcphdr),
+ optlen, _opt);
+ if (op == NULL) {
*hotdrop = 1;
return 0;
}
for (i = 0; i < optlen; ) {
- if (opt[i] == option) return !invert;
- if (opt[i] < 2) i++;
- else i += opt[i+1]?:1;
+ if (op[i] == option) return !invert;
+ if (op[i] < 2) i++;
+ else i += op[i+1]?:1;
}
return invert;
int offset,
int *hotdrop)
{
- struct tcphdr tcph;
+ struct tcphdr _tcph, *th;
const struct ipt_tcp *tcpinfo = matchinfo;
if (offset) {
#define FWINVTCP(bool,invflg) ((bool) ^ !!(tcpinfo->invflags & invflg))
- if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &tcph, sizeof(tcph)) < 0) {
+ th = skb_header_pointer(skb, skb->nh.iph->ihl*4,
+ sizeof(_tcph), &_tcph);
+ if (th == NULL) {
/* We've been asked to examine this packet, and we
can't. Hence, no choice but to drop. */
duprintf("Dropping evil TCP offset=0 tinygram.\n");
}
if (!port_match(tcpinfo->spts[0], tcpinfo->spts[1],
- ntohs(tcph.source),
+ ntohs(th->source),
!!(tcpinfo->invflags & IPT_TCP_INV_SRCPT)))
return 0;
if (!port_match(tcpinfo->dpts[0], tcpinfo->dpts[1],
- ntohs(tcph.dest),
+ ntohs(th->dest),
!!(tcpinfo->invflags & IPT_TCP_INV_DSTPT)))
return 0;
- if (!FWINVTCP((((unsigned char *)&tcph)[13] & tcpinfo->flg_mask)
+ if (!FWINVTCP((((unsigned char *)th)[13] & tcpinfo->flg_mask)
== tcpinfo->flg_cmp,
IPT_TCP_INV_FLAGS))
return 0;
if (tcpinfo->option) {
- if (tcph.doff * 4 < sizeof(tcph)) {
+ if (th->doff * 4 < sizeof(_tcph)) {
*hotdrop = 1;
return 0;
}
- if (!tcp_find_option(tcpinfo->option, skb, tcph.doff*4 - sizeof(tcph),
+ if (!tcp_find_option(tcpinfo->option, skb,
+ th->doff*4 - sizeof(_tcph),
tcpinfo->invflags & IPT_TCP_INV_OPTION,
hotdrop))
return 0;
int offset,
int *hotdrop)
{
- struct udphdr udph;
+ struct udphdr _udph, *uh;
const struct ipt_udp *udpinfo = matchinfo;
/* Must not be a fragment. */
if (offset)
return 0;
- if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &udph, sizeof(udph)) < 0) {
+ uh = skb_header_pointer(skb, skb->nh.iph->ihl*4,
+ sizeof(_udph), &_udph);
+ if (uh == NULL) {
/* We've been asked to examine this packet, and we
can't. Hence, no choice but to drop. */
duprintf("Dropping evil UDP tinygram.\n");
}
return port_match(udpinfo->spts[0], udpinfo->spts[1],
- ntohs(udph.source),
+ ntohs(uh->source),
!!(udpinfo->invflags & IPT_UDP_INV_SRCPT))
&& port_match(udpinfo->dpts[0], udpinfo->dpts[1],
- ntohs(udph.dest),
+ ntohs(uh->dest),
!!(udpinfo->invflags & IPT_UDP_INV_DSTPT));
}
int offset,
int *hotdrop)
{
- struct icmphdr icmph;
+ struct icmphdr _icmph, *ic;
const struct ipt_icmp *icmpinfo = matchinfo;
/* Must not be a fragment. */
if (offset)
return 0;
- if (skb_copy_bits(skb, skb->nh.iph->ihl*4, &icmph, sizeof(icmph)) < 0){
+ ic = skb_header_pointer(skb, skb->nh.iph->ihl*4,
+ sizeof(_icmph), &_icmph);
+ if (ic == NULL) {
/* We've been asked to examine this packet, and we
- can't. Hence, no choice but to drop. */
+ * can't. Hence, no choice but to drop.
+ */
duprintf("Dropping evil ICMP tinygram.\n");
*hotdrop = 1;
return 0;
return icmp_type_code_match(icmpinfo->type,
icmpinfo->code[0],
icmpinfo->code[1],
- icmph.type, icmph.code,
+ ic->type, ic->code,
!!(icmpinfo->invflags&IPT_ICMP_INV));
}