From: Stefano Brivio <sbrivio@redhat.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: PetrB <petr.boltik@gmail.com>, netfilter-devel@vger.kernel.org
Subject: [PATCH nft 1/2] segtree: Fix range_mask_len() for subnet ranges exceeding unsigned int
Date: Thu, 6 May 2021 00:23:13 +0200 [thread overview]
Message-ID: <5ff3ceab3d3a547ab23144adbfa2000f1604c39f.1620252768.git.sbrivio@redhat.com> (raw)
In-Reply-To: <cover.1620252768.git.sbrivio@redhat.com>
As concatenated ranges are fetched from kernel sets and displayed to
the user, range_mask_len() evaluates whether the range is suitable for
display as netmask, and in that case it calculates the mask length by
right-shifting the endpoints until no set bits are left, but in the
existing version the temporary copies of the endpoints are derived by
copying their unsigned int representation, which doesn't suffice for
IPv6 netmask lengths, in general.
PetrB reports that, after inserting a /56 subnet in a concatenated set
element, it's listed as a /64 range. In fact, this happens for any
IPv6 mask shorter than 64 bits.
Fix this issue by simply sourcing the range endpoints provided by the
caller and setting the temporary copies with mpz_init_set(), instead
of fetching the unsigned int representation. The issue only affects
displaying of the masks, setting elements already works as expected.
Reported-by: PetrB <petr.boltik@gmail.com>
Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1520
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
src/segtree.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/segtree.c b/src/segtree.c
index ad199355532e..353a0053ebc0 100644
--- a/src/segtree.c
+++ b/src/segtree.c
@@ -838,8 +838,8 @@ static int range_mask_len(const mpz_t start, const mpz_t end, unsigned int len)
mpz_t tmp_start, tmp_end;
int ret;
- mpz_init_set_ui(tmp_start, mpz_get_ui(start));
- mpz_init_set_ui(tmp_end, mpz_get_ui(end));
+ mpz_init_set(tmp_start, start);
+ mpz_init_set(tmp_end, end);
while (mpz_cmp(tmp_start, tmp_end) <= 0 &&
!mpz_tstbit(tmp_start, 0) && mpz_tstbit(tmp_end, 0) &&
--
2.30.2
next prev parent reply other threads:[~2021-05-05 22:23 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-05 22:23 [PATCH nft 0/2] Fix display of < 64 bits IPv6 masks in concatenated elements Stefano Brivio
2021-05-05 22:23 ` Stefano Brivio [this message]
2021-05-06 9:18 ` [PATCH nft 1/2] segtree: Fix range_mask_len() for subnet ranges exceeding unsigned int Phil Sutter
2021-05-06 10:00 ` Stefano Brivio
2021-05-06 11:18 ` Phil Sutter
2021-05-05 22:23 ` [PATCH nft 2/2] tests: Introduce 0043_concatenated_ranges_1 for subnets of different sizes Stefano Brivio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5ff3ceab3d3a547ab23144adbfa2000f1604c39f.1620252768.git.sbrivio@redhat.com \
--to=sbrivio@redhat.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=petr.boltik@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).