From b8d6cfc169bf79b72faaab6ef7940798dbfe9328 Mon Sep 17 00:00:00 2001 From: "/C=EU/ST=EU/CN=Jozsef Kadlecsik/emailAddress=kadlec@blackhole.kfki.hu" Date: Tue, 21 Oct 2008 12:09:05 +0000 Subject: [PATCH] As the manpage says, zero valued set entries cannot be used with hash type of sets. Enforce the restriction. --- Makefile | 2 +- kernel/ChangeLog | 4 ++++ kernel/ip_set_ipporthash.c | 6 ++++++ kernel/ip_set_ipportiphash.c | 4 ++++ kernel/ip_set_ipportnethash.c | 8 ++++++++ tests/iphash.t | 4 ++++ tests/ipporthash.t | 4 ++++ tests/ipportiphash.t | 4 ++++ tests/ipportnethash.t | 4 ++++ tests/nethash.t | 4 ++++ 10 files changed, 43 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index a192216..6de0097 100644 --- a/Makefile +++ b/Makefile @@ -20,7 +20,7 @@ ifndef V V=0 endif -IPSET_VERSION:=2.4 +IPSET_VERSION:=2.4.1 PREFIX:=/usr/local LIBDIR:=$(PREFIX)/lib diff --git a/kernel/ChangeLog b/kernel/ChangeLog index d034b34..f730927 100644 --- a/kernel/ChangeLog +++ b/kernel/ChangeLog @@ -1,3 +1,7 @@ +2.4.1 + - Zero-valued element are not accepted by hash type of sets + because we cannot make a difference between a zero-valued + element and not-set element. 2.4 - ipportiphash, ipportnethash and setlist types added - set type modules reworked to avoid code duplication diff --git a/kernel/ip_set_ipporthash.c b/kernel/ip_set_ipporthash.c index 1dd39c3..97b2323 100644 --- a/kernel/ip_set_ipporthash.c +++ b/kernel/ip_set_ipporthash.c @@ -39,8 +39,11 @@ ipporthash_id(struct ip_set *set, ip_set_ip_t *hash_ip, ip_set_ip_t *elem; *hash_ip = pack_ip_port(map, ip, port); + DP("set: %s, ipport:%u.%u.%u.%u:%u, %u.%u.%u.%u", set->name, HIPQUAD(ip), port, HIPQUAD(*hash_ip)); + if (!*hash_ip) + return UINT_MAX; for (i = 0; i < map->probes; i++) { id = jhash_ip(map, i, *hash_ip) % map->hashsize; @@ -113,6 +116,9 @@ ipporthash_add(struct ip_set *set, ip_set_ip_t *hash_ip, return -ERANGE; *hash_ip = pack_ip_port(map, ip, port); + + if (!*hash_ip) + return -ERANGE; return __ipporthash_add(map, hash_ip); } diff --git a/kernel/ip_set_ipportiphash.c b/kernel/ip_set_ipportiphash.c index 1755c57..74e8f7e 100644 --- a/kernel/ip_set_ipportiphash.c +++ b/kernel/ip_set_ipportiphash.c @@ -44,6 +44,8 @@ ipportiphash_id(struct ip_set *set, ip_set_ip_t *hash_ip, *hash_ip = pack_ip_port(map, ip, port); DP("set: %s, ipport:%u.%u.%u.%u:%u, %u.%u.%u.%u", set->name, HIPQUAD(ip), port, HIPQUAD(*hash_ip)); + if (!(*hash_ip || ip1)) + return UINT_MAX; for (i = 0; i < map->probes; i++) { id = jhash_ip2(map, i, *hash_ip, ip1) % map->hashsize; @@ -127,6 +129,8 @@ ipportiphash_add(struct ip_set *set, ip_set_ip_t *hash_ip, return -ERANGE; *hash_ip = pack_ip_port(map, ip, port); + if (!(*hash_ip || ip1)) + return -ERANGE; return __ipportip_add(map, *hash_ip, ip1); } diff --git a/kernel/ip_set_ipportnethash.c b/kernel/ip_set_ipportnethash.c index 3783bb8..0f08ba6 100644 --- a/kernel/ip_set_ipportnethash.c +++ b/kernel/ip_set_ipportnethash.c @@ -106,10 +106,13 @@ static int ipportnethash_utest(struct ip_set *set, const void *data, size_t size, ip_set_ip_t *hash_ip) { + const struct ip_set_ipportnethash *map = set->data; const struct ip_set_req_ipportnethash *req = data; if (req->cidr <= 0 || req->cidr > 32) return -EINVAL; + if (!(pack_ip_port(map, req->ip, req->port))) + return -ERANGE; return (req->cidr == 32 ? ipportnethash_test(set, hash_ip, req->ip, req->port, req->ip1) @@ -119,6 +122,7 @@ ipportnethash_utest(struct ip_set *set, const void *data, size_t size, #define KADT_CONDITION \ ip_set_ip_t port, ip1; \ + struct ip_set_ipportnethash *map = set->data; \ \ if (flags[index+2] == 0) \ return 0; \ @@ -127,6 +131,8 @@ ipportnethash_utest(struct ip_set *set, const void *data, size_t size, ip1 = ipaddr(skb, flags[index+2]); \ \ if (port == INVALID_PORT) \ + return 0; \ + if (!(pack_ip_port(map, ip, port))) \ return 0; KADT(ipportnethash, test, ipaddr, port, ip1) @@ -181,6 +187,8 @@ ipportnethash_add(struct ip_set *set, ip_set_ip_t *hash_ip, return -ERANGE; *hash_ip = pack_ip_port(map, ip, port); + if (!(*hash_ip || ip1)) + return -ERANGE; ret =__ipportnet_add(map, *hash_ip, pack_ip_cidr(ip1, cidr)); if (ret == 0) { diff --git a/tests/iphash.t b/tests/iphash.t index 14c3395..731457d 100644 --- a/tests/iphash.t +++ b/tests/iphash.t @@ -1,5 +1,9 @@ # IP: Create a set 0 ipset -N test iphash --hashsize 128 +# Range: Add zero valued element +2 ipset -A test 0.0.0.0 +# Range: Test zero valued element +2 ipset -T test 0.0.0.0 # IP: Add first random value 0 ipset -A test 2.0.0.1 # IP: Add second random value diff --git a/tests/ipporthash.t b/tests/ipporthash.t index edbbb0c..fe246a3 100644 --- a/tests/ipporthash.t +++ b/tests/ipporthash.t @@ -2,6 +2,10 @@ 2 ipset -N test ipporthash --from 2.0.0.1 --to 2.1.0.1 # Range: Create a set from a valid range 0 ipset -N test ipporthash --from 2.0.0.1 --to 2.1.0.0 +# Range: Add zero valued element +1 ipset -A test 2.0.0.1,0 +# Range: Test zero valued element +1 ipset -T test 2.0.0.1,0 # Range: Add lower boundary 0 ipset -A test 2.0.0.1,5 # Range: Add upper boundary diff --git a/tests/ipportiphash.t b/tests/ipportiphash.t index 5ffd08a..058b706 100644 --- a/tests/ipportiphash.t +++ b/tests/ipportiphash.t @@ -2,6 +2,10 @@ 2 ipset -N test ipportiphash --from 2.0.0.1 --to 2.1.0.1 # Range: Create a set from a valid range 0 ipset -N test ipportiphash --from 2.0.0.1 --to 2.1.0.0 +# Range: Add zero valued element +1 ipset -A test 2.0.0.1,0,0.0.0.0 +# Range: Test zero valued element +1 ipset -T test 2.0.0.1,0,0.0.0.0 # Range: Add lower boundary 0 ipset -A test 2.0.0.1,5,1.1.1.1 # Range: Add upper boundary diff --git a/tests/ipportnethash.t b/tests/ipportnethash.t index b7d64ff..18e89a1 100644 --- a/tests/ipportnethash.t +++ b/tests/ipportnethash.t @@ -2,6 +2,10 @@ 2 ipset -N test ipportnethash --from 2.0.0.1 --to 2.1.0.1 # Range: Create a set from a valid range 0 ipset -N test ipportnethash --from 2.0.0.1 --to 2.1.0.0 +# Range: Add zero valued element +1 ipset -A test 2.0.0.1,0,0.0.0.0/1 +# Range: Test zero valued element +1 ipset -T test 2.0.0.1,0,0.0.0.0/1 # Range: Add lower boundary 0 ipset -A test 2.0.0.1,5,1.1.1.1/24 # Range: Add upper boundary diff --git a/tests/nethash.t b/tests/nethash.t index ef213f9..bcb873b 100644 --- a/tests/nethash.t +++ b/tests/nethash.t @@ -1,5 +1,9 @@ # Create a set 0 ipset -N test nethash --hashsize 128 +# Range: Add zero valued element +2 ipset -A test 0.0.0.0/0 +# Range: Test zero valued element +2 ipset -T test 0.0.0.0/0 # Add first random network 0 ipset -A test 2.0.0.1/24 # Add second random network -- 2.40.0