mbox series

[nft,0/2] Prevent kernel from adding concatenated ranges if they're not supported

Message ID cover.1586806931.git.sbrivio@redhat.com
Headers show
Series Prevent kernel from adding concatenated ranges if they're not supported | expand

Message

Stefano Brivio April 13, 2020, 7:48 p.m. UTC 
This series fixes the nft crash recently reported by Pablo with older
(< 5.6) kernels: use the NFT_SET_CONCAT flag whenever we send a set
including concatenated ranges, so that kernels not supporting them
will not add them altogether, and we won't crash while trying to list
the malformed sets that are added as a result.

Stefano Brivio (2):
  include: Resync nf_tables.h cache copy
  src: Set NFT_SET_CONCAT flag for sets with concatenated ranges

 include/linux/netfilter/nf_tables.h | 2 ++
 src/evaluate.c                      | 9 ++++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

Comments

Pablo Neira Ayuso April 14, 2020, 9:16 p.m. UTC | #1 
On Mon, Apr 13, 2020 at 09:48:01PM +0200, Stefano Brivio wrote:
> This series fixes the nft crash recently reported by Pablo with older
> (< 5.6) kernels: use the NFT_SET_CONCAT flag whenever we send a set
> including concatenated ranges, so that kernels not supporting them
> will not add them altogether, and we won't crash while trying to list
> the malformed sets that are added as a result.

Applied, thanks.