From 15932461c91e8aedf54e885d429b954b439605d2 Mon Sep 17 00:00:00 2001
From: Jozsef Kadlecsik <kadlec@netfilter.org>
Date: Wed, 14 Jul 2021 12:37:07 +0200
Subject: Limit the maximal range of consecutive elements to add/delete

The range size of consecutive elements were not limited. Thus one
could define a huge range which may result soft lockup errors due
to the long execution time. Now the range size is limited to 2^20
entries. Reported by Brad Spengler.

Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
---
 kernel/include/linux/netfilter/ipset/ip_set.h | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'kernel/include/linux/netfilter/ipset')

diff --git a/kernel/include/linux/netfilter/ipset/ip_set.h b/kernel/include/linux/netfilter/ipset/ip_set.h
index 554f90f..3a6963c 100644
--- a/kernel/include/linux/netfilter/ipset/ip_set.h
+++ b/kernel/include/linux/netfilter/ipset/ip_set.h
@@ -199,6 +199,9 @@ struct ip_set_region {
 	u32 elements;		/* Number of elements vs timeout */
 };
 
+/* Max range where every element is added/deleted in one step */
+#define IPSET_MAX_RANGE		(1<<20)
+
 /* The max revision number supported by any set type + 1 */
 #define IPSET_REVISION_MAX	9
 
-- 
cgit v1.2.3