diff options
Diffstat (limited to 'cooker/filter.c')
| -rw-r--r-- | cooker/filter.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/cooker/filter.c b/cooker/filter.c index e0c8081..765fa25 100644 --- a/cooker/filter.c +++ b/cooker/filter.c @@ -540,6 +540,11 @@ unsigned int filter_build(struct sock_filter filter[], unsigned n) /* pre-check instruction + load syscall number (4 instructions) */ accept = size + n_nodes + n; + + /* FIXME: See below */ + if (n > 1 && n % 2) + accept++; + notify = accept + 1; /* Insert nodes */ @@ -570,6 +575,13 @@ unsigned int filter_build(struct sock_filter filter[], unsigned n) */ next_offset += get_n_args_syscall_instr(nr) - 1; } + + /* FIXME: If we have an odd number of leaves, duplicate the last one, + * otherwise, left_child() will miscalculate terminal jump offsets. + */ + if (n > 1 && n % 2) + filter[size++] = EQ(nr, offset - 1, accept - size); + /* Seccomp accept and notify instruction */ filter[size++] = STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW); filter[size++] = STMT(BPF_RET | BPF_K, SECCOMP_RET_USER_NOTIF); |