From: Jan Engelhardt <jengelh@inai.de>
To: pablo@netfilter.org
Cc: netfilter-devel@vger.kernel.org
Subject: [PATCH 7/7] libxt_*limit: avoid division by zero
Date: Sat, 28 Jul 2012 19:21:09 +0200 [thread overview]
Message-ID: <1343496069-5442-8-git-send-email-jengelh@inai.de> (raw)
In-Reply-To: <1343496069-5442-1-git-send-email-jengelh@inai.de>
It was possible to specify -A mychain -m hashlimit --hashlimit
600059/minute; this would convert to r->avg=0, which subsequently
causes a division by zero when printing with -S mychain.
1. Avoid division by zero in print_rate by printing infinity
instead.
2. Rewrite the test in parse_rate to properly reject too high rates.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
extensions/libxt_hashlimit.c | 17 ++++++++++++-----
extensions/libxt_limit.c | 17 ++++++++++++-----
2 files changed, 24 insertions(+), 10 deletions(-)
diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
index 37a3148..831345b 100644
--- a/extensions/libxt_hashlimit.c
+++ b/extensions/libxt_hashlimit.c
@@ -10,6 +10,7 @@
*
* Error corections by nmalykh@bilim.com (22.01.2005)
*/
+#include <math.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
@@ -250,12 +251,13 @@ int parse_rate(const char *rate, uint32_t *val, struct hashlimit_mt_udata *ud)
if (!r)
return 0;
- /* This would get mapped to infinite (1/day is minimum they
- can specify, so we're ok at that end). */
- if (r / ud->mult > XT_HASHLIMIT_SCALE)
- xtables_error(PARAMETER_PROBLEM, "Rate too fast \"%s\"\n", rate);
-
*val = XT_HASHLIMIT_SCALE * ud->mult / r;
+ if (*val == 0)
+ /*
+ * The rate maps to infinity. (1/day is the minimum they can
+ * specify, so we are ok at that end).
+ */
+ xtables_error(PARAMETER_PROBLEM, "Rate too fast \"%s\"\n", rate);
return 1;
}
@@ -434,6 +436,11 @@ static uint32_t print_rate(uint32_t period)
{
unsigned int i;
+ if (period == 0) {
+ printf(" %f", INFINITY);
+ return 0;
+ }
+
for (i = 1; i < ARRAY_SIZE(rates); ++i)
if (period > rates[i].mult
|| rates[i].mult/period < rates[i].mult%period)
diff --git a/extensions/libxt_limit.c b/extensions/libxt_limit.c
index b15b02f..023500c 100644
--- a/extensions/libxt_limit.c
+++ b/extensions/libxt_limit.c
@@ -3,6 +3,7 @@
* Jérôme de Vivie <devivie@info.enserb.u-bordeaux.fr>
* Hervé Eychenne <rv@wallfire.org>
*/
+#include <math.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
@@ -64,12 +65,13 @@ int parse_rate(const char *rate, uint32_t *val)
if (!r)
return 0;
- /* This would get mapped to infinite (1/day is minimum they
- can specify, so we're ok at that end). */
- if (r / mult > XT_LIMIT_SCALE)
- xtables_error(PARAMETER_PROBLEM, "Rate too fast \"%s\"\n", rate);
-
*val = XT_LIMIT_SCALE * mult / r;
+ if (*val == 0)
+ /*
+ * The rate maps to infinity. (1/day is the minimum they can
+ * specify, so we are ok at that end).
+ */
+ xtables_error(PARAMETER_PROBLEM, "Rate too fast \"%s\"\n", rate);
return 1;
}
@@ -118,6 +120,11 @@ static void print_rate(uint32_t period)
{
unsigned int i;
+ if (period == 0) {
+ printf(" %f", INFINITY);
+ return;
+ }
+
for (i = 1; i < ARRAY_SIZE(rates); ++i)
if (period > rates[i].mult
|| rates[i].mult/period < rates[i].mult%period)
--
1.7.7
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2012-07-28 17:21 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-28 17:21 iptables: Mostly Parser Fixes Jan Engelhardt
2012-07-28 17:21 ` [PATCH 1/7] iptables-restore: warn about -t in rule lines Jan Engelhardt
2012-07-31 11:39 ` Pablo Neira Ayuso
2012-07-31 12:13 ` Jan Engelhardt
2012-07-28 17:21 ` [PATCH 2/7] doc: grammatical updates to libxt_SET Jan Engelhardt
2012-07-28 17:21 ` [PATCH 3/7] libxt_u32: do bounds checking for @'s operands Jan Engelhardt
2012-07-28 17:21 ` [PATCH 4/7] libxt_devgroup: consolidate devgroup specification parsing Jan Engelhardt
2012-07-28 17:21 ` [PATCH 5/7] libxt_devgroup: guard against negative numbers Jan Engelhardt
2012-07-28 17:21 ` [PATCH 6/7] libxt_LED: " Jan Engelhardt
2012-07-28 17:21 ` Jan Engelhardt [this message]
2012-07-31 11:40 ` iptables: Mostly Parser Fixes Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1343496069-5442-8-git-send-email-jengelh@inai.de \
--to=jengelh@inai.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).