Patchwork [1/1] Timeout fixing bug broke SET target special timeout value, fixed

login
register
mail settings
Submitter Jozsef Kadlecsik
Date June 29, 2012, 7:42 p.m.
Message ID <1340998948-29672-2-git-send-email-kadlec@blackhole.kfki.hu>
Download mbox | patch
Permalink /patch/168255/
State Accepted
Headers show

Comments

Jozsef Kadlecsik - June 29, 2012, 7:42 p.m.
The patch "Fix timeout value overflow bug at large timeout parameters"
broke the SET target when no timeout was specified (reported by
Jean-Philippe Menil).

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
---
 net/netfilter/xt_set.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)
Pablo Neira - July 4, 2012, 9:18 p.m.
On Fri, Jun 29, 2012 at 09:42:28PM +0200, Jozsef Kadlecsik wrote:
> The patch "Fix timeout value overflow bug at large timeout parameters"
> broke the SET target when no timeout was specified (reported by
> Jean-Philippe Menil).
> 
> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

I've enqueued this for 3.5-rc, thanks Jozsef.

I'll pass this to -stable 3.4 once this hit Linus tree.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/net/netfilter/xt_set.c b/net/netfilter/xt_set.c
index 035960e..b172cbc 100644
--- a/net/netfilter/xt_set.c
+++ b/net/netfilter/xt_set.c
@@ -16,6 +16,7 @@ 
 
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_set.h>
+#include <linux/netfilter/ipset/ip_set_timeout.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
@@ -310,7 +311,8 @@  set_target_v2(struct sk_buff *skb, const struct xt_action_param *par)
 		info->del_set.flags, 0, UINT_MAX);
 
 	/* Normalize to fit into jiffies */
-	if (add_opt.timeout > UINT_MAX/MSEC_PER_SEC)
+	if (add_opt.timeout != IPSET_NO_TIMEOUT
+	    && add_opt.timeout > UINT_MAX/MSEC_PER_SEC)
 		add_opt.timeout = UINT_MAX/MSEC_PER_SEC;
 	if (info->add_set.index != IPSET_INVALID_ID)
 		ip_set_add(info->add_set.index, skb, par, &add_opt);