[PATCH 0/3] ipset fixes

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH 0/3] ipset fixes
@ 2012-09-21 20:38 Jozsef Kadlecsik
  2012-09-22 10:34 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 4+ messages in thread
From: Jozsef Kadlecsik @ 2012-09-21 20:38 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Pablo Neira Ayuso

Hi Pablo,

Here follows two important ipset fixes against your nf tree. (The first
patch is an old one somehow forgotten to send or apply and the other
ones depend on it.)

You can pull these changes from:

git://blackhole.kfki.hu/nf master

Best regards,
Jozsef

Jozsef Kadlecsik (3):
  netfilter: ipset: Fix sparse warnings "incorrect type in assignment"
  netfilter: ipset: Check and reject crazy /0 input parameters
  netfilter: ipset: Fix cidr book keeping for hash:*net* types

 include/linux/netfilter/ipset/ip_set_ahash.h |  104 ++++++++++++++------------
 net/netfilter/ipset/ip_set_bitmap_ip.c       |   10 ++-
 net/netfilter/ipset/ip_set_bitmap_ipmac.c    |    5 +-
 net/netfilter/ipset/ip_set_hash_ip.c         |    6 +-
 net/netfilter/ipset/ip_set_hash_ipport.c     |   15 ++--
 net/netfilter/ipset/ip_set_hash_ipportip.c   |   15 ++--
 net/netfilter/ipset/ip_set_hash_ipportnet.c  |   23 +++---
 net/netfilter/ipset/ip_set_hash_net.c        |    4 +-
 net/netfilter/ipset/ip_set_hash_netiface.c   |    4 +-
 net/netfilter/ipset/ip_set_hash_netport.c    |   13 ++--
 10 files changed, 107 insertions(+), 92 deletions(-)


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 0/3] ipset fixes
  2012-09-21 20:38 [PATCH 0/3] ipset fixes Jozsef Kadlecsik
@ 2012-09-22 10:34 ` Pablo Neira Ayuso
  2012-09-22 19:22   ` Jozsef Kadlecsik
  0 siblings, 1 reply; 4+ messages in thread
From: Pablo Neira Ayuso @ 2012-09-22 10:34 UTC (permalink / raw)
  To: Jozsef Kadlecsik; +Cc: netfilter-devel

Hi Jozsef,

On Fri, Sep 21, 2012 at 10:38:21PM +0200, Jozsef Kadlecsik wrote:
> Hi Pablo,
> 
> Here follows two important ipset fixes against your nf tree. (The first
> patch is an old one somehow forgotten to send or apply and the other
> ones depend on it.)
> 
> You can pull these changes from:
> 
> git://blackhole.kfki.hu/nf master
> 
> Best regards,
> Jozsef
> 
> Jozsef Kadlecsik (3):
>   netfilter: ipset: Fix sparse warnings "incorrect type in assignment"

This one above has to go through nf-next. I can manually applied, no
need to resend the patch.

>   netfilter: ipset: Check and reject crazy /0 input parameters
>   netfilter: ipset: Fix cidr book keeping for hash:*net* types

Please, could you develop how critical are these above? We're fairly
late in the release cycle, I'd prefer if we pass only really critical
fixes.

Thanks a lot for your updates.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 0/3] ipset fixes
  2012-09-22 10:34 ` Pablo Neira Ayuso
@ 2012-09-22 19:22   ` Jozsef Kadlecsik
  2012-09-23 22:26     ` Pablo Neira Ayuso
  0 siblings, 1 reply; 4+ messages in thread
From: Jozsef Kadlecsik @ 2012-09-22 19:22 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

Hi Pablo,

On Sat, 22 Sep 2012, Pablo Neira Ayuso wrote:

> On Fri, Sep 21, 2012 at 10:38:21PM +0200, Jozsef Kadlecsik wrote:
> > 
> > Here follows two important ipset fixes against your nf tree. (The first
> > patch is an old one somehow forgotten to send or apply and the other
> > ones depend on it.)
> > 
> > You can pull these changes from:
> > 
> > git://blackhole.kfki.hu/nf master
> > 
> > Jozsef Kadlecsik (3):
> >   netfilter: ipset: Fix sparse warnings "incorrect type in assignment"
> 
> This one above has to go through nf-next. I can manually applied, no
> need to resend the patch.

OK, thanks.

> >   netfilter: ipset: Check and reject crazy /0 input parameters
> >   netfilter: ipset: Fix cidr book keeping for hash:*net* types
> 
> Please, could you develop how critical are these above? We're fairly
> late in the release cycle, I'd prefer if we pass only really critical
> fixes.

> >   netfilter: ipset: Check and reject crazy /0 input parameters

This one is easy to trigger: bitmap:ip sets are allowed to be created from 
range 0/0, but with /16 subnets as elements:

ipset new foo bitmap:ip range 0/0 netmask 16

However if "netmask 16" is left out accidentally, the kernel does not 
reject it but creates a broken set and the system will crash when the 
first element is added.

If we are quite late in the release cycle, maybe it can wait and be added 
to nf-next only.

> >   netfilter: ipset: Fix cidr book keeping for hash:*net* types

You asked to check how critical the bug is, and it was just the perfect 
question :-). I have re-checked and I was mistaken. The new case (zero 
cidr size), which was not handled by the old code, somehow misled me. So 
the patch description should be rewritten - I'm going to send a new batch 
of the patches against nf-next tomorrow. Thanks!

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 0/3] ipset fixes
  2012-09-22 19:22   ` Jozsef Kadlecsik
@ 2012-09-23 22:26     ` Pablo Neira Ayuso
  0 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2012-09-23 22:26 UTC (permalink / raw)
  To: Jozsef Kadlecsik; +Cc: netfilter-devel

On Sat, Sep 22, 2012 at 09:22:08PM +0200, Jozsef Kadlecsik wrote:
[...]
> > Please, could you develop how critical are these above? We're fairly
> > late in the release cycle, I'd prefer if we pass only really critical
> > fixes.
> 
> > >   netfilter: ipset: Check and reject crazy /0 input parameters
> 
> This one is easy to trigger: bitmap:ip sets are allowed to be created from 
> range 0/0, but with /16 subnets as elements:
> 
> ipset new foo bitmap:ip range 0/0 netmask 16
> 
> However if "netmask 16" is left out accidentally, the kernel does not 
> reject it but creates a broken set and the system will crash when the 
> first element is added.

I see, this crash seems to be triggered in really rare situation.

> If we are quite late in the release cycle, maybe it can wait and be added 
> to nf-next only.

We can still push fixes, but at this stage we should focus on fixes
that really happen in normal cases / typical usage IMO.

> > >   netfilter: ipset: Fix cidr book keeping for hash:*net* types
> 
> You asked to check how critical the bug is, and it was just the perfect 
> question :-). I have re-checked and I was mistaken. The new case (zero 
> cidr size), which was not handled by the old code, somehow misled me. So 
> the patch description should be rewritten - I'm going to send a new batch 
> of the patches against nf-next tomorrow. Thanks!

Will check tomorrow, thanks again!

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2012-09-23 22:26 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-09-21 20:38 [PATCH 0/3] ipset fixes Jozsef Kadlecsik
2012-09-22 10:34 ` Pablo Neira Ayuso
2012-09-22 19:22   ` Jozsef Kadlecsik
2012-09-23 22:26     ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).