Limit the maximal range of consecutive elements to add/delete fix

Avoid possible number overflows when calculating the number of consecutive elements. Also, compute properly the consecutive elements in the case of hash:net* types. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
author: Jozsef Kadlecsik <kadlec@netfilter.org> 2021-07-16 14:36:45 +0200
committer: Jozsef Kadlecsik <kadlec@netfilter.org> 2021-07-16 14:36:45 +0200
commit: a63d02aeb7d00a2546c8bfc966b415704979b043 (patch)
tree: 844aa3fbe03f995d38fdaf61656143a640806a3b /kernel/net/netfilter/ipset/ip_set_hash_ip.c
parent: 0ec051e61f0568e27688248dc28f568127780437 (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/kernel/net/netfilter/ipset/ip_set_hash_ip.c b/kernel/net/netfilter/ipset/ip_set_hash_ip.c
index a3559d7..789b28a 100644
--- a/kernel/net/netfilter/ipset/ip_set_hash_ip.c
+++ b/kernel/net/netfilter/ipset/ip_set_hash_ip.c
@@ -133,8 +133,11 @@ hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[],
 		ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
 		if (ret)
 			return ret;
-		if (ip > ip_to)
+		if (ip > ip_to) {
+			if (ip_to == 0)
+				return -IPSET_ERR_HASH_ELEM;
 			swap(ip, ip_to);
+		}
 	} else if (tb[IPSET_ATTR_CIDR]) {
 		u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
 
@@ -145,7 +148,7 @@ hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[],
 
 	hosts = h->netmask == 32 ? 1 : 2 << (32 - h->netmask - 1);
 
-	if ((ip_to - ip + 1)/hosts > IPSET_MAX_RANGE)
+	if (((u64)ip_to - ip + 1)/hosts > IPSET_MAX_RANGE)
 		return -ERANGE;
 
 	if (retried) {
author	Jozsef Kadlecsik <kadlec@netfilter.org>	2021-07-16 14:36:45 +0200
committer	Jozsef Kadlecsik <kadlec@netfilter.org>	2021-07-16 14:36:45 +0200
commit	a63d02aeb7d00a2546c8bfc966b415704979b043 (patch)
tree	844aa3fbe03f995d38fdaf61656143a640806a3b /kernel/net/netfilter/ipset/ip_set_hash_ip.c
parent	0ec051e61f0568e27688248dc28f568127780437 (diff)