summaryrefslogtreecommitdiff
path: root/sound/isa
diff options
context:
space:
mode:
authorAlban Browaeys <alban.browaeys@gmail.com>2017-02-06 23:50:33 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2017-02-19 21:12:23 +0100
commitad5b55761956427f61ed9c96961bf9c5cd4f92dc (patch)
treebcc9a3e4577bf97bdab5f03aa9ec91e8decb48df /sound/isa
parentf95d7a46bc5722767c30ee223c8b67dd0f2e8793 (diff)
netfilter: xt_hashlimit: Fix integer divide round to zero.
Diving the divider by the multiplier before applying to the input. When this would "divide by zero", divide the multiplier by the divider first then multiply the input by this value. Currently user2creds outputs zero when input value is bigger than the number of slices and lower than scale. This as then user input is applied an integer divide operation to a number greater than itself (scale). That rounds up to zero, then we multiply zero by the credits slice size. iptables -t filter -I INPUT --protocol tcp --match hashlimit --hashlimit 40/second --hashlimit-burst 20 --hashlimit-mode srcip --hashlimit-name syn-flood --jump RETURN thus trigger the overflow detection code: xt_hashlimit: overflow, try lower: 25000/20 (25000 as hashlimit avg and 20 the burst) Here: 134217 slices of (HZ * CREDITS_PER_JIFFY) size. 500000 is user input value 1000000 is XT_HASHLIMIT_SCALE_v2 gives: 0 as user2creds output Setting burst to "1" typically solve the issue ... but setting it to "40" does too ! This is on 32bit arch calling into revision 2 of hashlimit. Signed-off-by: Alban Browaeys <alban.browaeys@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'sound/isa')
0 files changed, 0 insertions, 0 deletions