On Wed, Jan 03, 2001 at 11:55:30AM -0800, Guy Harris wrote:
> if the modified program that "fix_program()" produced had an
> illegal jump or an illegal memory reference in it - and it looks
> as if the "sk_chk_filter()" routine in the 2.2.15 kernel, at
> least, might not realize that the BPF *interpreter* allows
> certain negative offsets in BPF instructions (the offset field
> of the instruction is unsigned in the data structure it's using,
> and it checks whether that offset is too large, so a negative
> offset would be much too large), and, in order to test the
> packet type to see if it's an ARP packet *when capturing in
> cooked mode*, it'd have to use a negative offset.
>
> However, it *shouldn't* be using cooked mode for "eth0", so that
> particular kernel bug shouldn't be biting us.
"sk_chk_filter()" doesn't care about references to packet data - it
doesn't check them, so the negative-offset references will pass its
test.
> At least when I last tried it, it worked on my home machine, running a
> 2.2.17-prewhatever kernel (whatever comes with Debian 2.2).
It worked when I tried it just now; perhaps something else is getting in
the way....
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
