Message ID | 20220629212109.3045794-2-vpai@akamai.com |
---|---|
State | Changes Requested |
Delegated to: | Jozsef Kadlecsik |
Headers | show |
Series | netfilter: ipset: regression in ip_set_hash_ip.c | expand |
Hi Vishwanath, On Wed, 29 Jun 2022, Vishwanath Pai wrote: > This patch introduced a regression: commit 48596a8ddc46 ("netfilter: > ipset: Fix adding an IPv4 range containing more than 2^31 addresses") > > The variable e.ip is passed to adtfn() function which finally adds the > ip address to the set. The patch above refactored the for loop and moved > e.ip = htonl(ip) to the end of the for loop. > > What this means is that if the value of "ip" changes between the first > assignement of e.ip and the forloop, then e.ip is pointing to a > different ip address than "ip". > > Test case: > $ ipset create jdtest_tmp hash:ip family inet hashsize 2048 maxelem 100000 > $ ipset add jdtest_tmp 10.0.1.1/31 > ipset v6.21.1: Element cannot be added to the set: it's already added > > The value of ip gets updated inside the "else if (tb[IPSET_ATTR_CIDR])" > block but e.ip is still pointing to the old value. > > Reviewed-by: Joshua Hunt <johunt@akamai.com> > Signed-off-by: Vishwanath Pai <vpai@akamai.com> > --- > net/netfilter/ipset/ip_set_hash_ip.c | 12 +++++++++--- > 1 file changed, 9 insertions(+), 3 deletions(-) > > diff --git a/net/netfilter/ipset/ip_set_hash_ip.c b/net/netfilter/ipset/ip_set_hash_ip.c > index dd30c03d5a23..258aeb324483 100644 > --- a/net/netfilter/ipset/ip_set_hash_ip.c > +++ b/net/netfilter/ipset/ip_set_hash_ip.c > @@ -120,12 +120,14 @@ hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[], > return ret; > > ip &= ip_set_hostmask(h->netmask); > - e.ip = htonl(ip); > - if (e.ip == 0) > + > + if (ip == 0) > return -IPSET_ERR_HASH_ELEM; > > - if (adt == IPSET_TEST) > + if (adt == IPSET_TEST) { > + e.ip = htonl(ip); > return adtfn(set, &e, &ext, &ext, flags); > + } > > ip_to = ip; > if (tb[IPSET_ATTR_IP_TO]) { > @@ -145,6 +147,10 @@ hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[], > ip_set_mask_from_to(ip, ip_to, cidr); > } > > + e.ip = htonl(ip); > + if (e.ip == 0) > + return -IPSET_ERR_HASH_ELEM; > + > hosts = h->netmask == 32 ? 1 : 2 << (32 - h->netmask - 1); > > /* 64bit division is not allowed on 32bit */ You are right, however the patch can be made much smaller if the e.ip conversion is simply moved from if (retried) { ip = ntohl(h->next.ip); e.ip = htonl(ip); } into the next for loop as the first instruction. Could you resend your patch that way? Best regards, Jozsef - E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics H-1525 Budapest 114, POB. 49, Hungary
On 7/12/22 17:42, Jozsef Kadlecsik wrote: > Hi Vishwanath, > > On Wed, 29 Jun 2022, Vishwanath Pai wrote: > >> This patch introduced a regression: commit 48596a8ddc46 ("netfilter: >> ipset: Fix adding an IPv4 range containing more than 2^31 addresses") >> >> The variable e.ip is passed to adtfn() function which finally adds the >> ip address to the set. The patch above refactored the for loop and moved >> e.ip = htonl(ip) to the end of the for loop. >> >> What this means is that if the value of "ip" changes between the first >> assignement of e.ip and the forloop, then e.ip is pointing to a >> different ip address than "ip". >> >> Test case: >> $ ipset create jdtest_tmp hash:ip family inet hashsize 2048 maxelem 100000 >> $ ipset add jdtest_tmp 10.0.1.1/31 >> ipset v6.21.1: Element cannot be added to the set: it's already added >> >> The value of ip gets updated inside the "else if (tb[IPSET_ATTR_CIDR])" >> block but e.ip is still pointing to the old value. >> >> Reviewed-by: Joshua Hunt <johunt@akamai.com> >> Signed-off-by: Vishwanath Pai <vpai@akamai.com> >> --- >> net/netfilter/ipset/ip_set_hash_ip.c | 12 +++++++++--- >> 1 file changed, 9 insertions(+), 3 deletions(-) >> >> diff --git a/net/netfilter/ipset/ip_set_hash_ip.c b/net/netfilter/ipset/ip_set_hash_ip.c >> index dd30c03d5a23..258aeb324483 100644 >> --- a/net/netfilter/ipset/ip_set_hash_ip.c >> +++ b/net/netfilter/ipset/ip_set_hash_ip.c >> @@ -120,12 +120,14 @@ hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[], >> return ret; >> >> ip &= ip_set_hostmask(h->netmask); >> - e.ip = htonl(ip); >> - if (e.ip == 0) >> + >> + if (ip == 0) >> return -IPSET_ERR_HASH_ELEM; >> >> - if (adt == IPSET_TEST) >> + if (adt == IPSET_TEST) { >> + e.ip = htonl(ip); >> return adtfn(set, &e, &ext, &ext, flags); >> + } >> >> ip_to = ip; >> if (tb[IPSET_ATTR_IP_TO]) { >> @@ -145,6 +147,10 @@ hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[], >> ip_set_mask_from_to(ip, ip_to, cidr); >> } >> >> + e.ip = htonl(ip); >> + if (e.ip == 0) >> + return -IPSET_ERR_HASH_ELEM; >> + >> hosts = h->netmask == 32 ? 1 : 2 << (32 - h->netmask - 1); >> >> /* 64bit division is not allowed on 32bit */ > > You are right, however the patch can be made much smaller if the e.ip > conversion is simply moved from > > if (retried) { > ip = ntohl(h->next.ip); > e.ip = htonl(ip); > } > > into the next for loop as the first instruction. Could you resend > your patch that way? > > Best regards, > Jozsef > - > E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu > PGP key : https://urldefense.com/v3/__https://wigner.hu/*kadlec/pgp_public_key.txt__;fg!!GjvTz_vk!Ueht58Jfq7I9Q7kUGd0c_P7hXtIX50eqzQrTiCXOlath9rqfr5WF4srmHwNQ06rfNxUsBM7lCp3bew$ > Address : Wigner Research Centre for Physics > H-1525 Budapest 114, POB. 49, Hungary Hi Jozsef, Agreed that would be much simpler. I'll send a v2. Thanks, Vishwanath
diff --git a/net/netfilter/ipset/ip_set_hash_ip.c b/net/netfilter/ipset/ip_set_hash_ip.c index dd30c03d5a23..258aeb324483 100644 --- a/net/netfilter/ipset/ip_set_hash_ip.c +++ b/net/netfilter/ipset/ip_set_hash_ip.c @@ -120,12 +120,14 @@ hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[], return ret; ip &= ip_set_hostmask(h->netmask); - e.ip = htonl(ip); - if (e.ip == 0) + + if (ip == 0) return -IPSET_ERR_HASH_ELEM; - if (adt == IPSET_TEST) + if (adt == IPSET_TEST) { + e.ip = htonl(ip); return adtfn(set, &e, &ext, &ext, flags); + } ip_to = ip; if (tb[IPSET_ATTR_IP_TO]) { @@ -145,6 +147,10 @@ hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[], ip_set_mask_from_to(ip, ip_to, cidr); } + e.ip = htonl(ip); + if (e.ip == 0) + return -IPSET_ERR_HASH_ELEM; + hosts = h->netmask == 32 ? 1 : 2 << (32 - h->netmask - 1); /* 64bit division is not allowed on 32bit */