Re: [PATCH 2/9] nftables: reject NFT_SET_ELEM_INTERVAL_END flag for non-interval sets

[PATCH 0/9 WIP] nf_tables: set extensions and dynamic updates · Patrick McHardy <hidden> · 2015-01-30
[PATCH 7/9] netfilter: nft_hash: add support for timeouts · Patrick McHardy <hidden> · 2015-01-30
Re: [PATCH 7/9] netfilter: nft_hash: add support for timeouts · Herbert Xu <herbert@gondor.apana.org.au> · 2015-01-31
Re: [PATCH 7/9] netfilter: nft_hash: add support for timeouts · Patrick McHardy <hidden> · 2015-01-31
[PATCH 8/9] netfilter: nft_lookup: add missing attribute validation for NFTA_LOOKUP_SET_ID · Patrick McHardy <hidden> · 2015-01-30
[PATCH 1/9] rhashtable: simplify rhashtable_remove() · Patrick McHardy <hidden> · 2015-01-30
Re: [PATCH 1/9] rhashtable: simplify rhashtable_remove() · Thomas Graf <tgraf@suug.ch> · 2015-01-30
[PATCH 2/9] nftables: reject NFT_SET_ELEM_INTERVAL_END flag for non-interval sets · Patrick McHardy <hidden> · 2015-01-30
Re: [PATCH 2/9] nftables: reject NFT_SET_ELEM_INTERVAL_END flag for non-interval sets · Pablo Neira Ayuso <pablo@netfilter.org> · 2015-01-30
Re: [PATCH 2/9] nftables: reject NFT_SET_ELEM_INTERVAL_END flag for non-interval sets · Patrick McHardy <hidden> · 2015-01-30
Re: [PATCH 2/9] nftables: reject NFT_SET_ELEM_INTERVAL_END flag for non-interval sets · Pablo Neira Ayuso <pablo@netfilter.org> · 2015-01-30
[PATCH 3/9] nftables: nft_rbtree: fix locking · Patrick McHardy <hidden> · 2015-01-30
Re: [PATCH 3/9] nftables: nft_rbtree: fix locking · Pablo Neira Ayuso <pablo@netfilter.org> · 2015-01-30
[PATCH 4/9] netfilter: nf_tables: add set extensions · Patrick McHardy <hidden> · 2015-01-30
[PATCH 5/9] netfilter: nf_tables: convert hash and rbtree to set extensions · Patrick McHardy <hidden> · 2015-01-30
[PATCH 6/9] netfilter: nf_tables: add set timeout support · Patrick McHardy <hidden> · 2015-01-30
[PATCH 9/9] netfilter: nf_tables: add support for dynamic set updates · Patrick McHardy <hidden> · 2015-01-30
Re: [PATCH 9/9] netfilter: nf_tables: add support for dynamic set updates · Herbert Xu <herbert@gondor.apana.org.au> · 2015-01-30
Re: [PATCH 9/9] netfilter: nf_tables: add support for dynamic set updates · Patrick McHardy <hidden> · 2015-01-30
Re: [PATCH 9/9] netfilter: nf_tables: add support for dynamic set updates · Herbert Xu <herbert@gondor.apana.org.au> · 2015-01-30
Re: [PATCH 9/9] netfilter: nf_tables: add support for dynamic set updates · Herbert Xu <herbert@gondor.apana.org.au> · 2015-01-30

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: 2015-01-30 17:31:07
Also in: netfilter-devel

Hi Patrick,

Unless you have any concern, I'm going to apply this and 8/9 to
nf-next, so you don't need to resend these two sanitization fixes.

Thanks.

On Fri, Jan 30, 2015 at 07:46:27AM +0000, Patrick McHardy wrote:

quoted hunk ↗ jump to hunk

Signed-off-by: Patrick McHardy <redacted>
---
 net/netfilter/nf_tables_api.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 129a8da..92ba4a0 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c

@@ -3112,6 +3112,9 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
 		elem.flags = ntohl(nla_get_be32(nla[NFTA_SET_ELEM_FLAGS]));
 		if (elem.flags & ~NFT_SET_ELEM_INTERVAL_END)
 			return -EINVAL;
+		if (!(set->flags & NFT_SET_INTERVAL) &&
+		    elem.flags & NFT_SET_ELEM_INTERVAL_END)
+			return -EINVAL;
 	}
 
 	if (set->flags & NFT_SET_MAP) {

-- 
2.1.0

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help