summaryrefslogtreecommitdiffstats
path: root/kernel/net/netfilter/ipset/ip_set_hash_netiface.c
diff options
context:
space:
mode:
authorJozsef Kadlecsik <kadlec@blackhole.kfki.hu>2018-01-12 10:36:25 +0100
committerJozsef Kadlecsik <kadlec@blackhole.kfki.hu>2018-01-12 10:36:25 +0100
commit82403f9c229f093e973888e778646b4206a1469f (patch)
tree6d8fb3cdfdc9aae1a0d8c0e953ebac575ae2d22a /kernel/net/netfilter/ipset/ip_set_hash_netiface.c
parentb1b217c885e1ad36d0b0a5a83fc1900e3a6d71ed (diff)
Fix wraparound bug introduced in commit 48596a8ddc46
The patch "netfilter: ipset: Fix adding an IPv4 range containing more than 2^31 addresses" introduced a wraparound bug, which could lead to memory exhaustion when adding an x.x.x.x-255.255.255.255 range to any hash:*net* types. Fixes Netfilter's bugzilla id #1212, reported by Thomas Schwark.
Diffstat (limited to 'kernel/net/netfilter/ipset/ip_set_hash_netiface.c')
-rw-r--r--kernel/net/netfilter/ipset/ip_set_hash_netiface.c9
1 files changed, 4 insertions, 5 deletions
diff --git a/kernel/net/netfilter/ipset/ip_set_hash_netiface.c b/kernel/net/netfilter/ipset/ip_set_hash_netiface.c
index a111f7c..641c8af 100644
--- a/kernel/net/netfilter/ipset/ip_set_hash_netiface.c
+++ b/kernel/net/netfilter/ipset/ip_set_hash_netiface.c
@@ -200,7 +200,7 @@ hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[],
ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_netiface4_elem e = { .cidr = HOST_MASK, .elem = 1 };
struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
- u32 ip = 0, ip_to = 0, last;
+ u32 ip = 0, ip_to = 0;
int ret;
if (tb[IPSET_ATTR_LINENO])
@@ -255,17 +255,16 @@ hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[],
if (retried)
ip = ntohl(h->next.ip);
- while (ip <= ip_to) {
+ do {
e.ip = htonl(ip);
- last = ip_set_range_to_cidr(ip, ip_to, &e.cidr);
+ ip = ip_set_range_to_cidr(ip, ip_to, &e.cidr);
ret = adtfn(set, &e, &ext, &ext, flags);
if (ret && !ip_set_eexist(ret, flags))
return ret;
ret = 0;
- ip = last + 1;
- }
+ } while (ip++ < ip_to);
return ret;
}