From: Stefano Brivio <sbrivio@redhat.com>
To: Phil Sutter <phil@nwl.cc>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
PetrB <petr.boltik@gmail.com>,
netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nft 1/2] segtree: Fix range_mask_len() for subnet ranges exceeding unsigned int
Date: Thu, 6 May 2021 12:00:21 +0200 [thread overview]
Message-ID: <20210506120021.1bd82275@elisabeth> (raw)
In-Reply-To: <20210506091814.GG12403@orbyte.nwl.cc>
On Thu, 6 May 2021 11:18:14 +0200
Phil Sutter <phil@nwl.cc> wrote:
> On Thu, May 06, 2021 at 12:23:13AM +0200, Stefano Brivio wrote:
> > As concatenated ranges are fetched from kernel sets and displayed to
> > the user, range_mask_len() evaluates whether the range is suitable for
> > display as netmask, and in that case it calculates the mask length by
> > right-shifting the endpoints until no set bits are left, but in the
> > existing version the temporary copies of the endpoints are derived by
> > copying their unsigned int representation, which doesn't suffice for
> > IPv6 netmask lengths, in general.
> >
> > PetrB reports that, after inserting a /56 subnet in a concatenated set
> > element, it's listed as a /64 range. In fact, this happens for any
> > IPv6 mask shorter than 64 bits.
> >
> > Fix this issue by simply sourcing the range endpoints provided by the
> > caller and setting the temporary copies with mpz_init_set(), instead
> > of fetching the unsigned int representation. The issue only affects
> > displaying of the masks, setting elements already works as expected.
>
> Fixes: 8ac2f3b2fca38 ("src: Add support for concatenated set ranges")
Thanks Phil! I even looked it up and forgot to paste it ;)
> > Reported-by: PetrB <petr.boltik@gmail.com>
> > Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1520
> > Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
> > ---
> > src/segtree.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/src/segtree.c b/src/segtree.c
> > index ad199355532e..353a0053ebc0 100644
> > --- a/src/segtree.c
> > +++ b/src/segtree.c
> > @@ -838,8 +838,8 @@ static int range_mask_len(const mpz_t start, const mpz_t end, unsigned int len)
> > mpz_t tmp_start, tmp_end;
> > int ret;
> >
> > - mpz_init_set_ui(tmp_start, mpz_get_ui(start));
> > - mpz_init_set_ui(tmp_end, mpz_get_ui(end));
> > + mpz_init_set(tmp_start, start);
> > + mpz_init_set(tmp_end, end);
>
> The old code is a bit funny, was there a specific reason why you
> exported the values into a C variable intermediately?
Laziness, ultimately: I didn't remember the name of gmp_printf(),
didn't look it up, and used a fprintf() instead to check 'start' and
'end'... and then whoops, I left the mpz_get_ui() calls there.
--
Stefano
next prev parent reply other threads:[~2021-05-06 10:00 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-05 22:23 [PATCH nft 0/2] Fix display of < 64 bits IPv6 masks in concatenated elements Stefano Brivio
2021-05-05 22:23 ` [PATCH nft 1/2] segtree: Fix range_mask_len() for subnet ranges exceeding unsigned int Stefano Brivio
2021-05-06 9:18 ` Phil Sutter
2021-05-06 10:00 ` Stefano Brivio [this message]
2021-05-06 11:18 ` Phil Sutter
2021-05-05 22:23 ` [PATCH nft 2/2] tests: Introduce 0043_concatenated_ranges_1 for subnets of different sizes Stefano Brivio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210506120021.1bd82275@elisabeth \
--to=sbrivio@redhat.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=petr.boltik@gmail.com \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).