diff options
Diffstat (limited to 'net/netfilter')
-rw-r--r-- | net/netfilter/Kconfig | 2 | ||||
-rw-r--r-- | net/netfilter/nf_conntrack_sip.c | 10 | ||||
-rw-r--r-- | net/netfilter/xt_connbytes.c | 29 |
3 files changed, 21 insertions, 20 deletions
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index cd10e44..2a2bcb3 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -628,7 +628,7 @@ config NETFILTER_XT_MATCH_TCPMSS config NETFILTER_XT_MATCH_HASHLIMIT tristate '"hashlimit" match support' - depends on NETFILTER_XTABLES + depends on NETFILTER_XTABLES && (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) help This option adds a `hashlimit' match. diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c index eb2a241..9dec115 100644 --- a/net/netfilter/nf_conntrack_sip.c +++ b/net/netfilter/nf_conntrack_sip.c @@ -303,10 +303,16 @@ static int skp_epaddr_len(struct nf_conn *ct, const char *dptr, { int s = *shift; - for (; dptr <= limit && *dptr != '@'; dptr++) + /* Search for @, but stop at the end of the line. + * We are inside a sip: URI, so we don't need to worry about + * continuation lines. */ + while (dptr <= limit && + *dptr != '@' && *dptr != '\r' && *dptr != '\n') { (*shift)++; + dptr++; + } - if (*dptr == '@') { + if (dptr <= limit && *dptr == '@') { dptr++; (*shift)++; } else diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c index d93cb09..5e32dfa 100644 --- a/net/netfilter/xt_connbytes.c +++ b/net/netfilter/xt_connbytes.c @@ -52,6 +52,8 @@ match(const struct sk_buff *skb, { const struct xt_connbytes_info *sinfo = matchinfo; u_int64_t what = 0; /* initialize to make gcc happy */ + u_int64_t bytes = 0; + u_int64_t pkts = 0; const struct ip_conntrack_counter *counters; if (!(counters = nf_ct_get_counters(skb))) @@ -89,29 +91,22 @@ match(const struct sk_buff *skb, case XT_CONNBYTES_AVGPKT: switch (sinfo->direction) { case XT_CONNBYTES_DIR_ORIGINAL: - what = div64_64(counters[IP_CT_DIR_ORIGINAL].bytes, - counters[IP_CT_DIR_ORIGINAL].packets); + bytes = counters[IP_CT_DIR_ORIGINAL].bytes; + pkts = counters[IP_CT_DIR_ORIGINAL].packets; break; case XT_CONNBYTES_DIR_REPLY: - what = div64_64(counters[IP_CT_DIR_REPLY].bytes, - counters[IP_CT_DIR_REPLY].packets); + bytes = counters[IP_CT_DIR_REPLY].bytes; + pkts = counters[IP_CT_DIR_REPLY].packets; break; case XT_CONNBYTES_DIR_BOTH: - { - u_int64_t bytes; - u_int64_t pkts; - bytes = counters[IP_CT_DIR_ORIGINAL].bytes + - counters[IP_CT_DIR_REPLY].bytes; - pkts = counters[IP_CT_DIR_ORIGINAL].packets+ - counters[IP_CT_DIR_REPLY].packets; - - /* FIXME_THEORETICAL: what to do if sum - * overflows ? */ - - what = div64_64(bytes, pkts); - } + bytes = counters[IP_CT_DIR_ORIGINAL].bytes + + counters[IP_CT_DIR_REPLY].bytes; + pkts = counters[IP_CT_DIR_ORIGINAL].packets + + counters[IP_CT_DIR_REPLY].packets; break; } + if (pkts != 0) + what = div64_64(bytes, pkts); break; } |