tcpdump mailing list archives
Re: protochain, BPF_JA, and sk_chk_filter
From: Jefferson Ogata <Jefferson.Ogata () noaa gov>
Date: Fri, 19 Sep 2008 13:00:57 +0000
On 2008-09-19 07:48, Guy Harris wrote:
and 1) has no clue whether the program is being generated for the kernel or userland and 2) takes raw generated code, not a filter expression from which to generate code, as an argument, so there's no place to *tell* it what kind of code to generate.
There's really no need. The BPF engine can certainly be protected against this. E.g. count each BPF instruction you execute and bail after a threshold is reached. On bailing, you could also detach the filter, if you want to set a very high threshold. -- Jefferson Ogata <Jefferson.Ogata () noaa gov> NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov> "Never try to retrieve anything from a bear."--National Park Service - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- protochain, BPF_JA, and sk_chk_filter Robert Edmonds (Sep 18)
- Message not available
- Re: protochain, BPF_JA, and sk_chk_filter Robert Edmonds (Sep 19)
- Re: protochain, BPF_JA, and sk_chk_filter Guy Harris (Sep 19)
- Re: protochain, BPF_JA, and sk_chk_filter Jefferson Ogata (Sep 19)
- Re: protochain, BPF_JA, and sk_chk_filter Robert Edmonds (Sep 19)
- Message not available