From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pablo Neira Ayuso Subject: Re: [PATCH 1/4] netfilter: ipset: fix timeout value overflow bug Date: Mon, 14 May 2012 21:00:15 +0200 Message-ID: <20120514190015.GB14897@1984> References: <1336996023-20249-2-git-send-email-pablo@netfilter.org> <20120514143635.GA12992@1984> <1337006844.8512.491.camel@edumazet-glaptop> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Eric Dumazet , David Laight , netfilter-devel@vger.kernel.org, davem@davemloft.net, netdev@vger.kernel.org To: Jozsef Kadlecsik Return-path: Content-Disposition: inline In-Reply-To: Sender: netdev-owner@vger.kernel.org List-Id: netfilter-devel.vger.kernel.org On Mon, May 14, 2012 at 07:45:07PM +0200, Jozsef Kadlecsik wrote: > On Mon, 14 May 2012, Eric Dumazet wrote: > > > On Mon, 2012-05-14 at 16:36 +0200, Pablo Neira Ayuso wrote: > > > On Mon, May 14, 2012 at 03:19:49PM +0100, David Laight wrote: > > > > > > > > > --- a/include/linux/netfilter/ipset/ip_set_timeout.h > > > > > +++ b/include/linux/netfilter/ipset/ip_set_timeout.h > > > > > @@ -30,6 +30,10 @@ ip_set_timeout_uget(struct nlattr *tb) > > > > > { > > > > > unsigned int timeout = ip_set_get_h32(tb); > > > > > > > > > > + /* Normalize to fit into jiffies */ > > > > > + if (timeout > UINT_MAX/1000) > > > > > + timeout = UINT_MAX/1000; > > > > > + > > > > > > > > Doesn't that rather assume that HZ is 1000 ? > > > > > > Indeed. I overlooked that. Thanks David. > > > > I dont think so. > > > > 1000 here is really MSEC_PER_SEC > > > > (All occurrences should be changed in this file) > > Yes, exactly. Pablo, shall I produce a little patch or could you change > 1000 to MSEC_PER_SEC? I'll mangle this myself. No need to send a new patch.