From: Patrick McHardy <kaber@trash.net>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 2/2] netfilter: nft_rbtree: fix data handling of end interval elements
Date: Fri, 7 Feb 2014 13:20:14 +0000 [thread overview]
Message-ID: <20140207132014.GA21147@macbook.localnet> (raw)
In-Reply-To: <1391778947-8957-2-git-send-email-pablo@netfilter.org>
On Fri, Feb 07, 2014 at 02:15:47PM +0100, Pablo Neira Ayuso wrote:
> This patch fixes several things which related to the handling of
> end interval elements:
>
> * Chain use underflow with intervals and map: If you add a rule
> using intervals+map that introduces a loop, the error path of the
> rbtree set decrements the chain refcount for each side of the
> interval, leading to a chain use counter underflow.
>
> * Don't copy the data part of the end interval element since, this
> area is uninitialized and this confuses the loop detection code.
>
> * Don't allocate room for the data part of end interval elements
> since this is unused.
>
> So, after this patch the idea is that end interval elements don't
> have a data part.
>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> This patch extends http://patchwork.ozlabs.org/patch/317485/.
>
> @Patrick, you mentioned also that nft_hash needs to be adjusted, but
> after looking at this again I think there's no problem there since
> hash cannot currently be selected for interval sets. Thanks for your
> comments on the initial patch :)
Correct, just noticed that myself :)
Acked-by: Patrick McHardy <kaber@trash.net>
for both patches.
prev parent reply other threads:[~2014-02-07 13:20 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-07 13:15 [PATCH 1/2] netfilter: nf_tables: do not allow NFT_SET_ELEM_INTERVAL_END flag and data Pablo Neira Ayuso
2014-02-07 13:15 ` [PATCH 2/2] netfilter: nft_rbtree: fix data handling of end interval elements Pablo Neira Ayuso
2014-02-07 13:20 ` Patrick McHardy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140207132014.GA21147@macbook.localnet \
--to=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).