From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Jay Elliott <jelliott@arista.com>
Cc: fw@strlen.de, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH v4] netfilter: conntrack: clamp timeouts to INT_MAX
Date: Tue, 28 Nov 2017 00:24:29 +0100 [thread overview]
Message-ID: <20171127232429.GA29199@salvia> (raw)
In-Reply-To: <1510786873-60834-1-git-send-email-jelliott@arista.com>
On Wed, Nov 15, 2017 at 03:01:13PM -0800, Jay Elliott wrote:
> When the conntracking code multiplies a timeout by HZ, it can overflow
> from positive to negative; this causes it to instantly expire. To
> protect against this the multiplication is done in 64-bit so we can
> prevent it from exceeding INT_MAX.
This is something you must be observing via conntrack utility or
conntrackd?
> Signed-off-by: Jay Elliott <jelliott@arista.com>
> ---
> net/netfilter/nf_conntrack_netlink.c | 12 +++++++++---
> 1 file changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> index de4053d..41db7e3 100644
> --- a/net/netfilter/nf_conntrack_netlink.c
> +++ b/net/netfilter/nf_conntrack_netlink.c
> @@ -1560,9 +1560,11 @@ static int ctnetlink_change_helper(struct nf_conn *ct,
> static int ctnetlink_change_timeout(struct nf_conn *ct,
> const struct nlattr * const cda[])
> {
> - u_int32_t timeout = ntohl(nla_get_be32(cda[CTA_TIMEOUT]));
> + u64 timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ;
>
> - ct->timeout = nfct_time_stamp + timeout * HZ;
> + if (timeout > INT_MAX)
> + timeout = INT_MAX;
> + ct->timeout = nfct_time_stamp + (u32)timeout;
>
> if (test_bit(IPS_DYING_BIT, &ct->status))
> return -ETIME;
> @@ -1762,6 +1764,7 @@ static int change_seq_adj(struct nf_ct_seqadj *seq,
> int err = -EINVAL;
> struct nf_conntrack_helper *helper;
> struct nf_conn_tstamp *tstamp;
> + u64 timeout;
>
> ct = nf_conntrack_alloc(net, zone, otuple, rtuple, GFP_ATOMIC);
> if (IS_ERR(ct))
> @@ -1770,7 +1773,10 @@ static int change_seq_adj(struct nf_ct_seqadj *seq,
> if (!cda[CTA_TIMEOUT])
> goto err1;
>
> - ct->timeout = nfct_time_stamp + ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ;
> + timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ;
> + if (timeout > INT_MAX)
> + timeout = INT_MAX;
> + ct->timeout = (u32)timeout + nfct_time_stamp;
>
> rcu_read_lock();
> if (cda[CTA_HELP]) {
> --
> 1.8.1.4
>
next prev parent reply other threads:[~2017-11-27 23:24 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-15 23:01 [PATCH v4] netfilter: conntrack: clamp timeouts to INT_MAX Jay Elliott
2017-11-27 23:24 ` Pablo Neira Ayuso [this message]
2017-11-28 0:12 ` Florian Westphal
2017-11-28 0:14 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171127232429.GA29199@salvia \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=jelliott@arista.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.