From: Patrick McHardy <kaber@trash.net>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 2/2] netfilter: nft_rbtree: fix data handling of end interval elements
Date: Fri, 7 Feb 2014 13:20:14 +0000 [thread overview]
Message-ID: <20140207132014.GA21147@macbook.localnet> (raw)
In-Reply-To: <1391778947-8957-2-git-send-email-pablo@netfilter.org>
On Fri, Feb 07, 2014 at 02:15:47PM +0100, Pablo Neira Ayuso wrote:
> This patch fixes several things which related to the handling of
> end interval elements:
>
> * Chain use underflow with intervals and map: If you add a rule
> using intervals+map that introduces a loop, the error path of the
> rbtree set decrements the chain refcount for each side of the
> interval, leading to a chain use counter underflow.
>
> * Don't copy the data part of the end interval element since, this
> area is uninitialized and this confuses the loop detection code.
>
> * Don't allocate room for the data part of end interval elements
> since this is unused.
>
> So, after this patch the idea is that end interval elements don't
> have a data part.
>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> This patch extends http://patchwork.ozlabs.org/patch/317485/.
>
> @Patrick, you mentioned also that nft_hash needs to be adjusted, but
> after looking at this again I think there's no problem there since
> hash cannot currently be selected for interval sets. Thanks for your
> comments on the initial patch :)
Correct, just noticed that myself :)
Acked-by: Patrick McHardy <kaber@trash.net>
for both patches.
prev parent reply other threads:[~2014-02-07 13:20 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-07 13:15 [PATCH 1/2] netfilter: nf_tables: do not allow NFT_SET_ELEM_INTERVAL_END flag and data Pablo Neira Ayuso
2014-02-07 13:15 ` [PATCH 2/2] netfilter: nft_rbtree: fix data handling of end interval elements Pablo Neira Ayuso
2014-02-07 13:20 ` Patrick McHardy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140207132014.GA21147@macbook.localnet \
--to=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.