tcpdump mailing list archives
protochain, BPF_JA, and sk_chk_filter
From: Robert Edmonds <edmonds () debian org>
Date: Wed, 17 Sep 2008 21:26:40 +0000 (UTC)
tcpdump produces bpf filter code for 'ip6 and protochain ipv6-frag' that includes: (000) ldh [12] [...] (021) ja 6 [...] (062) ret #0 the jump instruction decodes to: { 0x5, 0, 0, 0xfffffff0 } the linux kernel returns EINVAL when tcpdump tries to load this filter code onto the socket: Warning: Kernel filter failed: Invalid argument further investigation shows that the failed check occurs in the linux kernel's net/core/filter.c sk_chk_filter() function: case BPF_JMP|BPF_JA: /* * Note, the large ftest->k might cause loops. * Compare this with conditional jumps below, * where offsets are limited. --ANK (981016) */ if (ftest->k >= (unsigned)(flen-pc-1)) return -EINVAL; break; (http://lxr.linux.no/linux+v2.6.26.5/net/core/filter.c#L409) the comparison succeeds because the large unsigned k-value for this instruction (0xfffffff0) is much larger than the number of remaining bpf instructions (flen-pc-1). is this a bug in libpcap's protochain filter generation code? -- Robert Edmonds edmonds () debian org - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- protochain, BPF_JA, and sk_chk_filter Robert Edmonds (Sep 18)
- Message not available
- Re: protochain, BPF_JA, and sk_chk_filter Robert Edmonds (Sep 19)
- Re: protochain, BPF_JA, and sk_chk_filter Guy Harris (Sep 19)
- Re: protochain, BPF_JA, and sk_chk_filter Jefferson Ogata (Sep 19)
- Re: protochain, BPF_JA, and sk_chk_filter Robert Edmonds (Sep 19)
- Message not available