Patchwork [3/3] netfilter: ipset: timeout fixing bug broke SET target special timeout value

login
register
mail settings
Submitter Pablo Neira
Date Oct. 11, 2012, 10:17 a.m.
Message ID <1349950658-12548-4-git-send-email-pablo@netfilter.org>
Download mbox | patch
Permalink /patch/190863/
State Accepted
Headers show

Comments

Pablo Neira - Oct. 11, 2012, 10:17 a.m.
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

The patch "127f559 netfilter: ipset: fix timeout value overflow bug"
broke the SET target when no timeout was specified.

Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

This patch requires:

commit 127f559127f5175e4bec3dab725a34845d956591
Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Date:   Mon May 7 02:35:44 2012 +0000

    netfilter: ipset: fix timeout value overflow bug
    
    Large timeout parameters could result wrong timeout values due to
    an overflow at msec to jiffies conversion (reported by Andreas Herz)

---
 net/netfilter/xt_set.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
Greg KH - Oct. 15, 2012, 11:22 p.m.
On Thu, Oct 11, 2012 at 12:17:38PM +0200, pablo@netfilter.org wrote:
> From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> 
> The patch "127f559 netfilter: ipset: fix timeout value overflow bug"
> broke the SET target when no timeout was specified.
> 
> Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr>
> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> 
> This patch requires:
> 
> commit 127f559127f5175e4bec3dab725a34845d956591
> Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> Date:   Mon May 7 02:35:44 2012 +0000
> 
>     netfilter: ipset: fix timeout value overflow bug
>     
>     Large timeout parameters could result wrong timeout values due to
>     an overflow at msec to jiffies conversion (reported by Andreas Herz)

This patch doesn't apply to the 3.0.y series, care to provide a
backport, and a backported version of the original patch above that
needs it?

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Greg KH - Oct. 15, 2012, 11:27 p.m.
On Mon, Oct 15, 2012 at 04:22:25PM -0700, Greg KH wrote:
> On Thu, Oct 11, 2012 at 12:17:38PM +0200, pablo@netfilter.org wrote:
> > From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> > 
> > The patch "127f559 netfilter: ipset: fix timeout value overflow bug"
> > broke the SET target when no timeout was specified.
> > 
> > Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr>
> > Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> > ---
> > 
> > This patch requires:
> > 
> > commit 127f559127f5175e4bec3dab725a34845d956591
> > Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> > Date:   Mon May 7 02:35:44 2012 +0000
> > 
> >     netfilter: ipset: fix timeout value overflow bug
> >     
> >     Large timeout parameters could result wrong timeout values due to
> >     an overflow at msec to jiffies conversion (reported by Andreas Herz)
> 
> This patch doesn't apply to the 3.0.y series, care to provide a
> backport, and a backported version of the original patch above that
> needs it?

Oh wait, should I apply the 3.0.y specific patches first?  I'll go do
that and see if these two then apply here...

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Greg KH - Oct. 15, 2012, 11:40 p.m.
On Mon, Oct 15, 2012 at 04:27:50PM -0700, Greg KH wrote:
> On Mon, Oct 15, 2012 at 04:22:25PM -0700, Greg KH wrote:
> > On Thu, Oct 11, 2012 at 12:17:38PM +0200, pablo@netfilter.org wrote:
> > > From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> > > 
> > > The patch "127f559 netfilter: ipset: fix timeout value overflow bug"
> > > broke the SET target when no timeout was specified.
> > > 
> > > Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr>
> > > Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> > > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> > > ---
> > > 
> > > This patch requires:
> > > 
> > > commit 127f559127f5175e4bec3dab725a34845d956591
> > > Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> > > Date:   Mon May 7 02:35:44 2012 +0000
> > > 
> > >     netfilter: ipset: fix timeout value overflow bug
> > >     
> > >     Large timeout parameters could result wrong timeout values due to
> > >     an overflow at msec to jiffies conversion (reported by Andreas Herz)
> > 
> > This patch doesn't apply to the 3.0.y series, care to provide a
> > backport, and a backported version of the original patch above that
> > needs it?
> 
> Oh wait, should I apply the 3.0.y specific patches first?  I'll go do
> that and see if these two then apply here...

Nope, doesn't apply.  Care to backport both of these patches for 3.0.y
and send them to us?

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Pablo Neira - Oct. 16, 2012, 9:36 a.m.
On Mon, Oct 15, 2012 at 04:40:22PM -0700, Greg KH wrote:
> On Mon, Oct 15, 2012 at 04:27:50PM -0700, Greg KH wrote:
> > On Mon, Oct 15, 2012 at 04:22:25PM -0700, Greg KH wrote:
> > > On Thu, Oct 11, 2012 at 12:17:38PM +0200, pablo@netfilter.org wrote:
> > > > From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> > > > 
> > > > The patch "127f559 netfilter: ipset: fix timeout value overflow bug"
> > > > broke the SET target when no timeout was specified.
> > > > 
> > > > Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr>
> > > > Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> > > > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> > > > ---
> > > > 
> > > > This patch requires:
> > > > 
> > > > commit 127f559127f5175e4bec3dab725a34845d956591
> > > > Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> > > > Date:   Mon May 7 02:35:44 2012 +0000
> > > > 
> > > >     netfilter: ipset: fix timeout value overflow bug
> > > >     
> > > >     Large timeout parameters could result wrong timeout values due to
> > > >     an overflow at msec to jiffies conversion (reported by Andreas Herz)
> > > 
> > > This patch doesn't apply to the 3.0.y series, care to provide a
> > > backport, and a backported version of the original patch above that
> > > needs it?
> > 
> > Oh wait, should I apply the 3.0.y specific patches first?  I'll go do
> > that and see if these two then apply here...
> 
> Nope, doesn't apply.  Care to backport both of these patches for 3.0.y
> and send them to us?

I can send you the backport for 3.2 but not for 3.0.

That fix is for one feature that was added in 3.1, so no way to make it
for 3.0 :-)

Let me know.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Greg KH - Oct. 16, 2012, 4:32 p.m.
On Tue, Oct 16, 2012 at 11:36:53AM +0200, Pablo Neira Ayuso wrote:
> On Mon, Oct 15, 2012 at 04:40:22PM -0700, Greg KH wrote:
> > On Mon, Oct 15, 2012 at 04:27:50PM -0700, Greg KH wrote:
> > > On Mon, Oct 15, 2012 at 04:22:25PM -0700, Greg KH wrote:
> > > > On Thu, Oct 11, 2012 at 12:17:38PM +0200, pablo@netfilter.org wrote:
> > > > > From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> > > > > 
> > > > > The patch "127f559 netfilter: ipset: fix timeout value overflow bug"
> > > > > broke the SET target when no timeout was specified.
> > > > > 
> > > > > Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr>
> > > > > Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> > > > > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> > > > > ---
> > > > > 
> > > > > This patch requires:
> > > > > 
> > > > > commit 127f559127f5175e4bec3dab725a34845d956591
> > > > > Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> > > > > Date:   Mon May 7 02:35:44 2012 +0000
> > > > > 
> > > > >     netfilter: ipset: fix timeout value overflow bug
> > > > >     
> > > > >     Large timeout parameters could result wrong timeout values due to
> > > > >     an overflow at msec to jiffies conversion (reported by Andreas Herz)
> > > > 
> > > > This patch doesn't apply to the 3.0.y series, care to provide a
> > > > backport, and a backported version of the original patch above that
> > > > needs it?
> > > 
> > > Oh wait, should I apply the 3.0.y specific patches first?  I'll go do
> > > that and see if these two then apply here...
> > 
> > Nope, doesn't apply.  Care to backport both of these patches for 3.0.y
> > and send them to us?
> 
> I can send you the backport for 3.2 but not for 3.0.
> 
> That fix is for one feature that was added in 3.1, so no way to make it
> for 3.0 :-)

Ah, ok, no worries then.

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Ben Hutchings - Oct. 17, 2012, 2:09 a.m.
On Tue, 2012-10-16 at 11:36 +0200, Pablo Neira Ayuso wrote:
> On Mon, Oct 15, 2012 at 04:40:22PM -0700, Greg KH wrote:
> > On Mon, Oct 15, 2012 at 04:27:50PM -0700, Greg KH wrote:
> > > On Mon, Oct 15, 2012 at 04:22:25PM -0700, Greg KH wrote:
> > > > On Thu, Oct 11, 2012 at 12:17:38PM +0200, pablo@netfilter.org wrote:
> > > > > From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> > > > > 
> > > > > The patch "127f559 netfilter: ipset: fix timeout value overflow bug"
> > > > > broke the SET target when no timeout was specified.
> > > > > 
> > > > > Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr>
> > > > > Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> > > > > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> > > > > ---
> > > > > 
> > > > > This patch requires:
> > > > > 
> > > > > commit 127f559127f5175e4bec3dab725a34845d956591
> > > > > Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> > > > > Date:   Mon May 7 02:35:44 2012 +0000
> > > > > 
> > > > >     netfilter: ipset: fix timeout value overflow bug
> > > > >     
> > > > >     Large timeout parameters could result wrong timeout values due to
> > > > >     an overflow at msec to jiffies conversion (reported by Andreas Herz)
> > > > 
> > > > This patch doesn't apply to the 3.0.y series, care to provide a
> > > > backport, and a backported version of the original patch above that
> > > > needs it?
> > > 
> > > Oh wait, should I apply the 3.0.y specific patches first?  I'll go do
> > > that and see if these two then apply here...
> > 
> > Nope, doesn't apply.  Care to backport both of these patches for 3.0.y
> > and send them to us?
> 
> I can send you the backport for 3.2 but not for 3.0.
>
> That fix is for one feature that was added in 3.1, so no way to make it
> for 3.0 :-)
> 
> Let me know.

I look after 3.2.  I don't think the original timeout overflow bug is
important enough for a stable update, so I don't intend to apply either
of these.

Ben.

Patch

diff --git a/net/netfilter/xt_set.c b/net/netfilter/xt_set.c
index 035960e..c6f7db7 100644
--- a/net/netfilter/xt_set.c
+++ b/net/netfilter/xt_set.c
@@ -16,6 +16,7 @@ 
 
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_set.h>
+#include <linux/netfilter/ipset/ip_set_timeout.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
@@ -310,7 +311,8 @@  set_target_v2(struct sk_buff *skb, const struct xt_action_param *par)
 		info->del_set.flags, 0, UINT_MAX);
 
 	/* Normalize to fit into jiffies */
-	if (add_opt.timeout > UINT_MAX/MSEC_PER_SEC)
+	if (add_opt.timeout != IPSET_NO_TIMEOUT &&
+	    add_opt.timeout > UINT_MAX/MSEC_PER_SEC)
 		add_opt.timeout = UINT_MAX/MSEC_PER_SEC;
 	if (info->add_set.index != IPSET_INVALID_ID)
 		ip_set_add(info->add_set.index, skb, par, &add_opt);