| Message ID | 1422603994-5836-3-git-send-email-kaber@trash.net |
|---|---|
| State | RFC |
| Delegated to: | Pablo Neira |
| Headers | show |
Hi Patrick, Unless you have any concern, I'm going to apply this and 8/9 to nf-next, so you don't need to resend these two sanitization fixes. Thanks. On Fri, Jan 30, 2015 at 07:46:27AM +0000, Patrick McHardy wrote: > Signed-off-by: Patrick McHardy <kaber@trash.net> > --- > net/netfilter/nf_tables_api.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c > index 129a8da..92ba4a0 100644 > --- a/net/netfilter/nf_tables_api.c > +++ b/net/netfilter/nf_tables_api.c > @@ -3112,6 +3112,9 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, > elem.flags = ntohl(nla_get_be32(nla[NFTA_SET_ELEM_FLAGS])); > if (elem.flags & ~NFT_SET_ELEM_INTERVAL_END) > return -EINVAL; > + if (!(set->flags & NFT_SET_INTERVAL) && > + elem.flags & NFT_SET_ELEM_INTERVAL_END) > + return -EINVAL; > } > > if (set->flags & NFT_SET_MAP) { > -- > 2.1.0 > > -- > To unsubscribe from this list: send the line "unsubscribe netdev" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 30.01, Pablo Neira Ayuso wrote: > Hi Patrick, > > Unless you have any concern, I'm going to apply this and 8/9 to > nf-next, so you don't need to resend these two sanitization fixes. This one is not needed for mainline so far since nft_hash validates on its own. It is only required since my series centralizes that validation once the set extensions are added. For 8/9, sure. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Fri, Jan 30, 2015 at 05:55:26PM +0000, Patrick McHardy wrote: > On 30.01, Pablo Neira Ayuso wrote: > > Hi Patrick, > > > > Unless you have any concern, I'm going to apply this and 8/9 to > > nf-next, so you don't need to resend these two sanitization fixes. > > This one is not needed for mainline so far since nft_hash validates > on its own. It is only required since my series centralizes that > validation once the set extensions are added. > > For 8/9, sure. OK, I'll take 8/9 then, thanks! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 129a8da..92ba4a0 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -3112,6 +3112,9 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, elem.flags = ntohl(nla_get_be32(nla[NFTA_SET_ELEM_FLAGS])); if (elem.flags & ~NFT_SET_ELEM_INTERVAL_END) return -EINVAL; + if (!(set->flags & NFT_SET_INTERVAL) && + elem.flags & NFT_SET_ELEM_INTERVAL_END) + return -EINVAL; } if (set->flags & NFT_SET_MAP) {
Signed-off-by: Patrick McHardy <kaber@trash.net> --- net/netfilter/nf_tables_api.c | 3 +++ 1 file changed, 3 insertions(+)