diff options
| author | Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 2012-05-04 21:37:28 +0200 |
|---|---|---|
| committer | Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 2012-05-04 21:37:28 +0200 |
| commit | 7219d88329cabcdd05df9477af6e2dee007b60b1 (patch) | |
| tree | 1acd3e29f2bbbce49dc8e2b0e0d8ed18a9f111a3 /kernel | |
| parent | 02cb61dcb7a120b7a5f7a480fd2b43f49e28dafc (diff) | |
Fix timeout value overflow bug at large timeout parameters
Large timeout parameters could result wrong timeout values due to
an overflow at msec to jiffies conversion (reported by Andreas Herz)
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/include/linux/netfilter/ipset/ip_set_timeout.h | 4 | ||||
| -rw-r--r-- | kernel/net/netfilter/xt_set.c | 15 |
2 files changed, 17 insertions, 2 deletions
diff --git a/kernel/include/linux/netfilter/ipset/ip_set_timeout.h b/kernel/include/linux/netfilter/ipset/ip_set_timeout.h index 4792320..9fba34f 100644 --- a/kernel/include/linux/netfilter/ipset/ip_set_timeout.h +++ b/kernel/include/linux/netfilter/ipset/ip_set_timeout.h @@ -30,6 +30,10 @@ ip_set_timeout_uget(struct nlattr *tb) { unsigned int timeout = ip_set_get_h32(tb); + /* Normalize to fit into jiffies */ + if (timeout > UINT_MAX/1000) + timeout = UINT_MAX/1000; + /* Userspace supplied TIMEOUT parameter: adjust crazy size */ return timeout == IPSET_NO_TIMEOUT ? IPSET_NO_TIMEOUT - 1 : timeout; } diff --git a/kernel/net/netfilter/xt_set.c b/kernel/net/netfilter/xt_set.c index 0ec8138..e97a31b 100644 --- a/kernel/net/netfilter/xt_set.c +++ b/kernel/net/netfilter/xt_set.c @@ -44,6 +44,14 @@ const struct ip_set_adt_opt n = { \ .cmdflags = cfs, \ .timeout = t, \ } +#define ADT_MOPT(n, f, d, fs, cfs, t) \ +struct ip_set_adt_opt n = { \ + .family = f, \ + .dim = d, \ + .flags = fs, \ + .cmdflags = cfs, \ + .timeout = t, \ +} /* Revision 0 interface: backward compatible with netfilter/iptables */ @@ -296,11 +304,14 @@ static unsigned int set_target_v2(struct sk_buff *skb, const struct xt_action_param *par) { const struct xt_set_info_target_v2 *info = par->targinfo; - ADT_OPT(add_opt, par->family, info->add_set.dim, - info->add_set.flags, info->flags, info->timeout); + ADT_MOPT(add_opt, par->family, info->add_set.dim, + info->add_set.flags, info->flags, info->timeout); ADT_OPT(del_opt, par->family, info->del_set.dim, info->del_set.flags, 0, UINT_MAX); + /* Normalize to fit into jiffies */ + if (add_opt.timeout > UINT_MAX/1000) + add_opt.timeout = UINT_MAX/1000; if (info->add_set.index != IPSET_INVALID_ID) ip_set_add(info->add_set.index, skb, par, &add_opt); if (info->del_set.index != IPSET_INVALID_ID) |