netfilter: ipset: fix timeout value overflow bug (127f5591) · Commits · e / devices / android_kernel_xiaomi_markw

include/linux/netfilter/ipset/ip_set_timeout.h

+4 −0

Original line number	Diff line number	Diff line
		@@ -30,6 +30,10 @@ ip_set_timeout_uget(struct nlattr *tb)
		{
		unsigned int timeout = ip_set_get_h32(tb);

		/* Normalize to fit into jiffies */
		if (timeout > UINT_MAX/MSEC_PER_SEC)
		timeout = UINT_MAX/MSEC_PER_SEC;

		/* Userspace supplied TIMEOUT parameter: adjust crazy size */
		return timeout == IPSET_NO_TIMEOUT ? IPSET_NO_TIMEOUT - 1 : timeout;
		}

+13 −2

Original line number	Diff line number	Diff line
		@@ -44,6 +44,14 @@ const struct ip_set_adt_opt n = { \
		.cmdflags = cfs, \
		.timeout = t, \
		}
		#define ADT_MOPT(n, f, d, fs, cfs, t) \
		struct ip_set_adt_opt n = { \
		.family = f, \
		.dim = d, \
		.flags = fs, \
		.cmdflags = cfs, \
		.timeout = t, \
		}

		/* Revision 0 interface: backward compatible with netfilter/iptables */

		@@ -296,11 +304,14 @@ static unsigned int
		set_target_v2(struct sk_buff skb, const struct xt_action_param par)
		{
		const struct xt_set_info_target_v2 *info = par->targinfo;
		ADT_OPT(add_opt, par->family, info->add_set.dim,
		ADT_MOPT(add_opt, par->family, info->add_set.dim,
		info->add_set.flags, info->flags, info->timeout);
		ADT_OPT(del_opt, par->family, info->del_set.dim,
		info->del_set.flags, 0, UINT_MAX);

		/* Normalize to fit into jiffies */
		if (add_opt.timeout > UINT_MAX/MSEC_PER_SEC)
		add_opt.timeout = UINT_MAX/MSEC_PER_SEC;
		if (info->add_set.index != IPSET_INVALID_ID)
		ip_set_add(info->add_set.index, skb, par, &add_opt);
		if (info->del_set.index != IPSET_INVALID_ID)