netfilter: expect: Make sure the max_expected limit is effective

Because the type of expecting, the member of nf_conn_help, is u8, it would overflow after reach U8_MAX(255). So it doesn't work when we configure the max_expected exceeds 255 with expect policy. Now add the check for max_expected. Return the -EINVAL when it exceeds the limit. Signed-off-by: Gao Feng <fgao@ikuai8.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Gao Feng <fgao@ikuai8.com> 2017-03-24 21:32:19 +0800
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2017-04-06 18:32:16 +0200
commit: 92f73221f9e9e143d242e3eca9c512dac969765e (patch)
tree: 9c493bd487511b3230393788568bfe3ae3ae81a2 /include/net
parent: f323d9546927a012cafbb7e503e6aa0e9fbff94b (diff)
download: op-kernel-dev-92f73221f9e9e143d242e3eca9c512dac969765e.zip
op-kernel-dev-92f73221f9e9e143d242e3eca9c512dac969765e.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index 65cc2cb..e84df8d 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -73,6 +73,7 @@ struct nf_conntrack_expect_policy {
 };
 
 #define NF_CT_EXPECT_CLASS_DEFAULT	0
+#define NF_CT_EXPECT_MAX_CNT		255
 
 int nf_conntrack_expect_pernet_init(struct net *net);
 void nf_conntrack_expect_pernet_fini(struct net *net);
author	Gao Feng <fgao@ikuai8.com>	2017-03-24 21:32:19 +0800
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2017-04-06 18:32:16 +0200
commit	92f73221f9e9e143d242e3eca9c512dac969765e (patch)
tree	9c493bd487511b3230393788568bfe3ae3ae81a2 /include/net
parent	f323d9546927a012cafbb7e503e6aa0e9fbff94b (diff)
download	op-kernel-dev-92f73221f9e9e143d242e3eca9c512dac969765e.zip op-kernel-dev-92f73221f9e9e143d242e3eca9c512dac969765e.tar.gz