From patchwork Thu Oct 11 10:17:38 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [3/3] netfilter: ipset: timeout fixing bug broke SET target special timeout value Date: Thu, 11 Oct 2012 00:17:38 -0000 From: Pablo Neira X-Patchwork-Id: 190863 Message-Id: <1349950658-12548-4-git-send-email-pablo@netfilter.org> To: stable@vger.kernel.org Cc: netfilter-devel@vger.kernel.org From: Jozsef Kadlecsik The patch "127f559 netfilter: ipset: fix timeout value overflow bug" broke the SET target when no timeout was specified. Reported-by: Jean-Philippe Menil Signed-off-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso --- This patch requires: commit 127f559127f5175e4bec3dab725a34845d956591 Author: Jozsef Kadlecsik Date: Mon May 7 02:35:44 2012 +0000 netfilter: ipset: fix timeout value overflow bug Large timeout parameters could result wrong timeout values due to an overflow at msec to jiffies conversion (reported by Andreas Herz) --- net/netfilter/xt_set.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/netfilter/xt_set.c b/net/netfilter/xt_set.c index 035960e..c6f7db7 100644 --- a/net/netfilter/xt_set.c +++ b/net/netfilter/xt_set.c @@ -16,6 +16,7 @@ #include #include +#include MODULE_LICENSE("GPL"); MODULE_AUTHOR("Jozsef Kadlecsik "); @@ -310,7 +311,8 @@ set_target_v2(struct sk_buff *skb, const struct xt_action_param *par) info->del_set.flags, 0, UINT_MAX); /* Normalize to fit into jiffies */ - if (add_opt.timeout > UINT_MAX/MSEC_PER_SEC) + if (add_opt.timeout != IPSET_NO_TIMEOUT && + add_opt.timeout > UINT_MAX/MSEC_PER_SEC) add_opt.timeout = UINT_MAX/MSEC_PER_SEC; if (info->add_set.index != IPSET_INVALID_ID) ip_set_add(info->add_set.index, skb, par, &add_opt);