Message ID | 20221130121934.1125-2-pablo@netfilter.org |
---|---|
State | Accepted |
Delegated to: | Pablo Neira |
Headers | show |
Series | [net,1/4] netfilter: nft_set_pipapo: Actually validate intervals in fields after the first one | expand |
Hello: This series was applied to netdev/net.git (master) by Pablo Neira Ayuso <pablo@netfilter.org>: On Wed, 30 Nov 2022 13:19:31 +0100 you wrote: > From: Stefano Brivio <sbrivio@redhat.com> > > Embarrassingly, nft_pipapo_insert() checked for interval validity in > the first field only. > > The start_p and end_p pointers were reset to key data from the first > field at every iteration of the loop which was supposed to go over > the set fields. > > [...] Here is the summary with links: - [net,1/4] netfilter: nft_set_pipapo: Actually validate intervals in fields after the first one https://git.kernel.org/netdev/net/c/97d4d394b587 - [net,2/4] netfilter: flowtable_offload: fix using __this_cpu_add in preemptible https://git.kernel.org/netdev/net/c/a81047154e7c - [net,3/4] netfilter: conntrack: fix using __this_cpu_add in preemptible https://git.kernel.org/netdev/net/c/9464d0b68f11 - [net,4/4] netfilter: ctnetlink: fix compilation warning after data race fixes in ct mark https://git.kernel.org/netdev/net/c/1feeae071507 You are awesome, thank you!
diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c index 4f9299b9dcdd..06d46d182634 100644 --- a/net/netfilter/nft_set_pipapo.c +++ b/net/netfilter/nft_set_pipapo.c @@ -1162,6 +1162,7 @@ static int nft_pipapo_insert(const struct net *net, const struct nft_set *set, struct nft_pipapo_match *m = priv->clone; u8 genmask = nft_genmask_next(net); struct nft_pipapo_field *f; + const u8 *start_p, *end_p; int i, bsize_max, err = 0; if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END)) @@ -1202,9 +1203,9 @@ static int nft_pipapo_insert(const struct net *net, const struct nft_set *set, } /* Validate */ + start_p = start; + end_p = end; nft_pipapo_for_each_field(f, i, m) { - const u8 *start_p = start, *end_p = end; - if (f->rules >= (unsigned long)NFT_PIPAPO_RULE0_MAX) return -ENOSPC;