From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Ren Wei <n05ec@lzu.edu.cn>
Cc: netfilter-devel@vger.kernel.org, security@kernel.org,
fw@strlen.de, phil@nwl.cc, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
horms@kernel.org, shuah@kernel.org, yuantan098@gmail.com,
bird@lzu.edu.cn, z1652074432@gmail.com, kaber@trash.net,
yasuyuki.kozakai@toshiba.co.jp, yifanwucs@gmail.com,
tomapufckgml@gmail.com, enjou1224z@gmail.com
Subject: Re: [PATCH v2] netfilter: xt_multiport: reject trailing range markers
Date: Wed, 1 Apr 2026 01:39:41 +0200 [thread overview]
Message-ID: <acxbPWCI6timYqiL@chamomile> (raw)
In-Reply-To: <acxY3z1h2qkpzaEw@chamomile>
On Wed, Apr 01, 2026 at 01:29:38AM +0200, Pablo Neira Ayuso wrote:
> Hi,
>
> On Sat, Mar 28, 2026 at 10:51:23PM +0800, Ren Wei wrote:
> > diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
> > index 44a00f5acde8..38aa5b90d38e 100644
> > --- a/net/netfilter/xt_multiport.c
> > +++ b/net/netfilter/xt_multiport.c
> > @@ -26,10 +26,10 @@ MODULE_ALIAS("ip6t_multiport");
> > /* Returns 1 if the port is matched by the test, 0 otherwise. */
> > static inline bool
> > ports_match_v1(const struct xt_multiport_v1 *minfo,
> > - u_int16_t src, u_int16_t dst)
> > + u16 src, u16 dst)
> > {
> > unsigned int i;
> > - u_int16_t s, e;
> > + u16 s, e;
> >
> > for (i = 0; i < minfo->count; i++) {
> > s = minfo->ports[i];
>
> I see, this is a cleanup to use preferred datatypes.
>
> > @@ -106,20 +106,36 @@ multiport_mt(const struct sk_buff *skb, struct xt_action_param *par)
> > }
> >
> > static inline bool
> > -check(u_int16_t proto,
> > - u_int8_t ip_invflags,
> > - u_int8_t match_flags,
> > - u_int8_t count)
> > +multiport_valid_ranges(const struct xt_multiport_v1 *multiinfo)
> > +{
> > + unsigned int i;
> > +
> > + for (i = 0; i < multiinfo->count; i++) {
> > + if (!multiinfo->pflags[i])
> > + continue;
> > +
> > + if (i == multiinfo->count - 1)
> > + return false;
> > +
> > + i++;
> > + }
>
> Why so convoluted? This should just fix this bug:
>
> static bool multiport_valid_ranges(const struct xt_multiport_v1 *multiinfo)
> {
> return multiinfo->pflags[multiinfo->count - 1] == 0;
> }
Another possibility is full-blown range validation, ie.
if pflags[i] is one, then pflags[i+1] must be zero, checking that i+1
do not go over XT_MULTI_PORTS beforehand.
next prev parent reply other threads:[~2026-03-31 23:39 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <cover.1774624314.git.n05ec@lzu.edu.cn>
2026-03-28 14:51 ` [PATCH v2] netfilter: xt_multiport: reject trailing range markers Ren Wei
2026-03-31 23:29 ` Pablo Neira Ayuso
2026-03-31 23:39 ` Pablo Neira Ayuso [this message]
2026-04-02 17:34 ` [PATCH v2] netfilter: xt_multiport: validate range encoding in checkentry Ren Wei
2026-04-02 18:21 ` [PATCH v3] " Ren Wei
2026-04-03 11:31 ` Pablo Neira Ayuso
2026-04-03 11:38 ` Pablo Neira Ayuso
2026-04-03 15:52 ` [PATCH v4] " Ren Wei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=acxbPWCI6timYqiL@chamomile \
--to=pablo@netfilter.org \
--cc=bird@lzu.edu.cn \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=enjou1224z@gmail.com \
--cc=fw@strlen.de \
--cc=horms@kernel.org \
--cc=kaber@trash.net \
--cc=kuba@kernel.org \
--cc=n05ec@lzu.edu.cn \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=phil@nwl.cc \
--cc=security@kernel.org \
--cc=shuah@kernel.org \
--cc=tomapufckgml@gmail.com \
--cc=yasuyuki.kozakai@toshiba.co.jp \
--cc=yifanwucs@gmail.com \
--cc=yuantan098@gmail.com \
--cc=z1652074432@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.