From: Florian Westphal <fw@strlen.de>
To: Jay Elliott <jelliott@arista.com>
Cc: Florian Westphal <fw@strlen.de>,
pablo@netfilter.org, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH v2] netfilter: conntrack: clamp timeouts to INT_MAX
Date: Tue, 14 Nov 2017 07:41:05 +0100 [thread overview]
Message-ID: <20171114064105.GP5512@breakpoint.cc> (raw)
In-Reply-To: <CA+c2rSiciLQiJqzfdwo9p4_POQSZW1mmaQCfsMwPvm4td2wLAw@mail.gmail.com>
Jay Elliott <jelliott@arista.com> wrote:
> On Sat, Nov 11, 2017 at 10:27 AM, Florian Westphal <fw@strlen.de> wrote:
> > It also looks wrong.
> > let ct->timeout be 1000.
> > let nfct_time_stamp be 0x80000000
> >
> > Then ct->timout is capped to 0x7fffffff.
> > Next check considers the timeout to be expired, as 0x7fff... - 0x800 < 0.
>
> Thanks for pointing that out; it does look like something that could
> cause troubles.
>
> Is it alright if I submit a fix to this as a separate patch? I
> *think* I have a solution (pending some testing), but I also think
> it's outside of the scope of this commit since it's a pre-existing
> problem so I'd like to fix it separately.
Sorry, I am not following. This problem is added with this patch.
> > So I guess best bet is to actually do a 64bit multiplication, as you
> > did, then truncate.
> >
> > Please use u64 for this (the u_intXX_t types are prehistoric leftovers).
>
> So to clarify, are changing the u_int64_t variables to u64 and fixing
> the case where nfct_time_stamp >= 0x8000... the only changes that need
> to be made based on the v2 patch I sent out?
Yes, I think so, only changes in nfnetlink.c are needed, i.e. (totally untested):
- u_int32_t timeout = ntohl(nla_get_be32(cda[CTA_TIMEOUT]));
+ u64 timeout = ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ;
+
+ if (timeout > INT_MAX)
timeout = INT_MAX;
- ct->timeout = nfct_time_stamp + timeout * HZ;
+ ct->timeout = nfct_time_stamp + (u32)timeout;
if (test_bit(IPS_DYING_BIT, &ct->status))
return -ETIME;
@@ -1762,6 +1765,8 @@ static int change_seq_adj(struct nf_ct_seqadj *seq,
int err = -EINVAL;
struct nf_conntrack_helper *helper;
struct nf_conn_tstamp *tstamp;
+ u64 timeout_nla;
ct = nf_conntrack_alloc(net, zone, otuple, rtuple, GFP_ATOMIC);
if (IS_ERR(ct))
@@ -1770,7 +1775,11 @@ static int change_seq_adj(struct nf_ct_seqadj *seq,
if (!cda[CTA_TIMEOUT])
goto err1;
- ct->timeout = nfct_time_stamp + ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ;
+ timeout_nla = ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ;
+ if (timeout_nla > INT_MAX)
+ timeout_nla = INT_MAX;
+ ct->timeout = nfct_time_stamp + timeout_nla;
prev parent reply other threads:[~2017-11-14 6:41 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-11 10:08 [PATCH v2] netfilter: conntrack: clamp timeouts to INT_MAX Jay Elliott
2017-11-11 18:27 ` Florian Westphal
2017-11-14 2:25 ` Jay Elliott
2017-11-14 6:41 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171114064105.GP5512@breakpoint.cc \
--to=fw@strlen.de \
--cc=jelliott@arista.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.