From: Li Wei <lw@cn.fujitsu.com>
To: davem@davemloft.net
Cc: eric.dumazet@gmail.com, netdev@vger.kernel.org,
Li Wei <lw@cn.fujitsu.com>
Subject: [PATCH v4] ipv6: fix incorrect route 'expires' value passed to userspace
Date: Mon, 30 Jul 2012 10:01:30 +0800 [thread overview]
Message-ID: <1343613690-3236-1-git-send-email-lw@cn.fujitsu.com> (raw)
In-Reply-To: <1343199114.2626.11088.camel@edumazet-glaptop>
When userspace use RTM_GETROUTE to dump route table, with an already
expired route entry, we always got an 'expires' value(2147157)
calculated base on INT_MAX.
The reason of this problem is in the following satement:
rt->dst.expires - jiffies < INT_MAX
gcc promoted the type of both sides of '<' to unsigned long, thus
a small negative value would be considered greater than INT_MAX.
With the help of Eric Dumazet, do the out of bound checks in
rtnl_put_cacheinfo(), _after_ conversion to clock_t.
Signed-off-by: Li Wei <lw@cn.fujitsu.com>
---
In fact, all the code was reconstructed by Eric, I just put the
commit log and resent it to the maillist, thanks Eric!
net/core/rtnetlink.c | 8 ++++++--
net/ipv6/route.c | 8 ++------
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index bc9e380..5ff949d 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -625,9 +625,13 @@ int rtnl_put_cacheinfo(struct sk_buff *skb, struct dst_entry *dst, u32 id,
.rta_id = id,
};
- if (expires)
- ci.rta_expires = jiffies_to_clock_t(expires);
+ if (expires) {
+ unsigned long clock;
+ clock = jiffies_to_clock_t(abs(expires));
+ clock = min_t(unsigned long, clock, INT_MAX);
+ ci.rta_expires = (expires > 0) ? clock : -clock;
+ }
return nla_put(skb, RTA_CACHEINFO, sizeof(ci), &ci);
}
EXPORT_SYMBOL_GPL(rtnl_put_cacheinfo);
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index cf02cb9..8e80fd2 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -2480,12 +2480,8 @@ static int rt6_fill_node(struct net *net,
goto nla_put_failure;
if (nla_put_u32(skb, RTA_PRIORITY, rt->rt6i_metric))
goto nla_put_failure;
- if (!(rt->rt6i_flags & RTF_EXPIRES))
- expires = 0;
- else if (rt->dst.expires - jiffies < INT_MAX)
- expires = rt->dst.expires - jiffies;
- else
- expires = INT_MAX;
+
+ expires = (rt->rt6i_flags & RTF_EXPIRES) ? rt->dst.expires - jiffies : 0;
if (rtnl_put_cacheinfo(skb, &rt->dst, 0, expires, rt->dst.error) < 0)
goto nla_put_failure;
--
1.7.10.1
next prev parent reply other threads:[~2012-07-30 2:03 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-16 8:09 [PATCH] ipv6: fix incorrect route 'expires' value passed to userspace Li Wei
2012-07-16 9:56 ` David Miller
2012-07-17 1:55 ` Li Wei
2012-07-19 2:02 ` [PATCH V2] " Li Wei
2012-07-19 17:49 ` David Miller
2012-07-20 1:32 ` Li Wei
2012-07-20 1:42 ` [PATCH V2 resend] " Li Wei
2012-07-20 10:32 ` David Laight
2012-07-20 18:22 ` David Miller
2012-07-23 1:05 ` Li Wei
2012-07-25 5:25 ` [PATCH V3] " Li Wei
2012-07-25 6:51 ` Eric Dumazet
2012-07-25 7:33 ` Li Wei
2012-07-30 2:01 ` Li Wei [this message]
2012-07-30 6:20 ` [PATCH v4] " David Miller
2012-07-23 1:02 ` [PATCH V2 resend] " Li Wei
2012-07-16 16:41 ` [PATCH] " Stephen Hemminger
2012-07-17 1:53 ` Li Wei
2012-07-17 5:26 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1343613690-3236-1-git-send-email-lw@cn.fujitsu.com \
--to=lw@cn.fujitsu.com \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).