* [PATCH nft 1/2] segtree: wrong prefix expression length on interval_map_decompose()
@ 2016-12-13 0:42 Pablo Neira Ayuso
2016-12-13 0:42 ` [PATCH nft 2/2] segtree: don't trigger error on exact overlaps Pablo Neira Ayuso
0 siblings, 1 reply; 2+ messages in thread
From: Pablo Neira Ayuso @ 2016-12-13 0:42 UTC (permalink / raw)
To: netfilter-devel; +Cc: richard.moerbitz
interval_map_decompose() sets expr->len to zero. This causes problems
from expr_to_intervals() that calls range_expr_value_high() and
calculates:
expr->len - expr->prefix_len
this operation underflows, then mpz_init_bitmask() allocates a huge
bitmask.
Use expr_value(i)->len given that we already use this to calculate the
prefix length.
Reported-by: Richard Mörbitz <richard.moerbitz@tu-dresden.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/segtree.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/segtree.c b/src/segtree.c
index 32e071f6b5e8..45e5f5b22e2e 100644
--- a/src/segtree.c
+++ b/src/segtree.c
@@ -693,7 +693,8 @@ void interval_map_decompose(struct expr *set)
prefix_len = expr_value(i)->len - mpz_scan0(range, 0);
prefix = prefix_expr_alloc(&low->location, expr_value(low),
prefix_len);
- prefix->len = low->len;
+ prefix->len = expr_value(i)->len;
+
prefix = set_elem_expr_alloc(&low->location, prefix);
if (low->ops->type == EXPR_MAPPING)
prefix = mapping_expr_alloc(&low->location, prefix,
--
2.1.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [PATCH nft 2/2] segtree: don't trigger error on exact overlaps
2016-12-13 0:42 [PATCH nft 1/2] segtree: wrong prefix expression length on interval_map_decompose() Pablo Neira Ayuso
@ 2016-12-13 0:42 ` Pablo Neira Ayuso
0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2016-12-13 0:42 UTC (permalink / raw)
To: netfilter-devel; +Cc: richard.moerbitz
So adding the same element doesn't trigger any error:
# nft add element filter bogons { 3.3.3.123/24 }
# nft add element filter bogons { 3.3.3.123/24 }
Still kernel reports an error if we use create instead:
# nft create element filter bogons { 3.3.3.123/24 }
<cmdline>:1:1-46: Error: Could not process rule: File exists
create element filter bogons { 3.3.3.123/24 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/segtree.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/segtree.c b/src/segtree.c
index 45e5f5b22e2e..5b6cdd1d770d 100644
--- a/src/segtree.c
+++ b/src/segtree.c
@@ -336,6 +336,10 @@ static unsigned int expr_to_intervals(const struct expr *set,
static bool interval_overlap(const struct elementary_interval *e1,
const struct elementary_interval *e2)
{
+ if (mpz_cmp(e1->left, e2->left) == 0 &&
+ mpz_cmp(e1->right, e2->right) == 0)
+ return false;
+
return (mpz_cmp(e1->left, e2->left) >= 0 &&
mpz_cmp(e1->left, e2->right) <= 0) ||
(mpz_cmp(e1->right, e2->left) >= 0 &&
--
2.1.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-12-13 0:43 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-12-13 0:42 [PATCH nft 1/2] segtree: wrong prefix expression length on interval_map_decompose() Pablo Neira Ayuso
2016-12-13 0:42 ` [PATCH nft 2/2] segtree: don't trigger error on exact overlaps Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).