[PATCH 0/3] ipset fixes

[PATCH 0/3] ipset fixes

[Jozsef Kadlecsik]

Hi Pablo,

Here follows two important ipset fixes against your nf tree. (The first
patch is an old one somehow forgotten to send or apply and the other
ones depend on it.)

You can pull these changes from:

git://blackhole.kfki.hu/nf master

Best regards,
Jozsef

Jozsef Kadlecsik (3):
  netfilter: ipset: Fix sparse warnings "incorrect type in assignment"
  netfilter: ipset: Check and reject crazy /0 input parameters
  netfilter: ipset: Fix cidr book keeping for hash:*net* types

 include/linux/netfilter/ipset/ip_set_ahash.h |  104 ++++++++++++++------------
 net/netfilter/ipset/ip_set_bitmap_ip.c       |   10 ++-
 net/netfilter/ipset/ip_set_bitmap_ipmac.c    |    5 +-
 net/netfilter/ipset/ip_set_hash_ip.c         |    6 +-
 net/netfilter/ipset/ip_set_hash_ipport.c     |   15 ++--
 net/netfilter/ipset/ip_set_hash_ipportip.c   |   15 ++--
 net/netfilter/ipset/ip_set_hash_ipportnet.c  |   23 +++---
 net/netfilter/ipset/ip_set_hash_net.c        |    4 +-
 net/netfilter/ipset/ip_set_hash_netiface.c   |    4 +-
 net/netfilter/ipset/ip_set_hash_netport.c    |   13 ++--
 10 files changed, 107 insertions(+), 92 deletions(-)

Re: [PATCH 0/3] ipset fixes

[Pablo Neira Ayuso]

Hi Jozsef,

On Fri, Sep 21, 2012 at 10:38:21PM +0200, Jozsef Kadlecsik wrote:
> Hi Pablo,
> 
> Here follows two important ipset fixes against your nf tree. (The first
> patch is an old one somehow forgotten to send or apply and the other
> ones depend on it.)
> 
> You can pull these changes from:
> 
> git://blackhole.kfki.hu/nf master
> 
> Best regards,
> Jozsef
> 
> Jozsef Kadlecsik (3):
>   netfilter: ipset: Fix sparse warnings "incorrect type in assignment"

This one above has to go through nf-next. I can manually applied, no
need to resend the patch.

>   netfilter: ipset: Check and reject crazy /0 input parameters
>   netfilter: ipset: Fix cidr book keeping for hash:*net* types

Please, could you develop how critical are these above? We're fairly
late in the release cycle, I'd prefer if we pass only really critical
fixes.

Thanks a lot for your updates.

Re: [PATCH 0/3] ipset fixes

[Jozsef Kadlecsik]

Hi Pablo,

On Sat, 22 Sep 2012, Pablo Neira Ayuso wrote:

> On Fri, Sep 21, 2012 at 10:38:21PM +0200, Jozsef Kadlecsik wrote:
> > 
> > Here follows two important ipset fixes against your nf tree. (The first
> > patch is an old one somehow forgotten to send or apply and the other
> > ones depend on it.)
> > 
> > You can pull these changes from:
> > 
> > git://blackhole.kfki.hu/nf master
> > 
> > Jozsef Kadlecsik (3):
> >   netfilter: ipset: Fix sparse warnings "incorrect type in assignment"
> 
> This one above has to go through nf-next. I can manually applied, no
> need to resend the patch.

OK, thanks.
 
> >   netfilter: ipset: Check and reject crazy /0 input parameters
> >   netfilter: ipset: Fix cidr book keeping for hash:*net* types
> 
> Please, could you develop how critical are these above? We're fairly
> late in the release cycle, I'd prefer if we pass only really critical
> fixes.

> >   netfilter: ipset: Check and reject crazy /0 input parameters

This one is easy to trigger: bitmap:ip sets are allowed to be created from 
range 0/0, but with /16 subnets as elements:

ipset new foo bitmap:ip range 0/0 netmask 16

However if "netmask 16" is left out accidentally, the kernel does not 
reject it but creates a broken set and the system will crash when the 
first element is added.

If we are quite late in the release cycle, maybe it can wait and be added 
to nf-next only.

> >   netfilter: ipset: Fix cidr book keeping for hash:*net* types

You asked to check how critical the bug is, and it was just the perfect 
question :-). I have re-checked and I was mistaken. The new case (zero 
cidr size), which was not handled by the old code, somehow misled me. So 
the patch description should be rewritten - I'm going to send a new batch 
of the patches against nf-next tomorrow. Thanks!

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

Re: [PATCH 0/3] ipset fixes

[Pablo Neira Ayuso]

On Sat, Sep 22, 2012 at 09:22:08PM +0200, Jozsef Kadlecsik wrote:
[...]
> > Please, could you develop how critical are these above? We're fairly
> > late in the release cycle, I'd prefer if we pass only really critical
> > fixes.
> 
> > >   netfilter: ipset: Check and reject crazy /0 input parameters
> 
> This one is easy to trigger: bitmap:ip sets are allowed to be created from 
> range 0/0, but with /16 subnets as elements:
> 
> ipset new foo bitmap:ip range 0/0 netmask 16
> 
> However if "netmask 16" is left out accidentally, the kernel does not 
> reject it but creates a broken set and the system will crash when the 
> first element is added.

I see, this crash seems to be triggered in really rare situation.

> If we are quite late in the release cycle, maybe it can wait and be added 
> to nf-next only.

We can still push fixes, but at this stage we should focus on fixes
that really happen in normal cases / typical usage IMO.

> > >   netfilter: ipset: Fix cidr book keeping for hash:*net* types
> 
> You asked to check how critical the bug is, and it was just the perfect 
> question :-). I have re-checked and I was mistaken. The new case (zero 
> cidr size), which was not handled by the old code, somehow misled me. So 
> the patch description should be rewritten - I'm going to send a new batch 
> of the patches against nf-next tomorrow. Thanks!

Will check tomorrow, thanks again!