On Sat, Sep 22, 2012 at 09:22:08PM +0200, Jozsef Kadlecsik wrote: [...] > > Please, could you develop how critical are these above? We're fairly > > late in the release cycle, I'd prefer if we pass only really critical > > fixes. > > > > netfilter: ipset: Check and reject crazy /0 input parameters > > This one is easy to trigger: bitmap:ip sets are allowed to be created from > range 0/0, but with /16 subnets as elements: > > ipset new foo bitmap:ip range 0/0 netmask 16 > > However if "netmask 16" is left out accidentally, the kernel does not > reject it but creates a broken set and the system will crash when the > first element is added. I see, this crash seems to be triggered in really rare situation. > If we are quite late in the release cycle, maybe it can wait and be added > to nf-next only. We can still push fixes, but at this stage we should focus on fixes that really happen in normal cases / typical usage IMO. > > > netfilter: ipset: Fix cidr book keeping for hash:*net* types > > You asked to check how critical the bug is, and it was just the perfect > question :-). I have re-checked and I was mistaken. The new case (zero > cidr size), which was not handled by the old code, somehow misled me. So > the patch description should be rewritten - I'm going to send a new batch > of the patches against nf-next tomorrow. Thanks! Will check tomorrow, thanks again! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
