On Mon, Mar 06, 2017 at 12:02:52AM +0800, Liping Zhang wrote:
> From: Liping Zhang <zlpnobody@xxxxxxxxx>
>
> Currently we just assume the element key as a u32 integer, regardless of
> the set key length.
>
> This is incorrect, for example, the tcp port number is only 16 bits.
> So when we use the nft_payload expr to get the tcp dport and store
> it to dreg, the dport will be stored at 0~15 bits, and 16~31 bits
> will be padded with zero.
>
> So the reg->data[dreg] will be looked like as below:
> 0 15 31
> +-+-+-+-+-+-+-+-+-+-+-+-+
> | tcp dport | 0 |
> +-+-+-+-+-+-+-+-+-+-+-+-+
> But for these big-endian systems, if we treate this register as a u32
> integer, the element key will be larger than 65535, so the following
> lookup in bitmap set will cause out of bound access.
>
> Another issue is that if we add element with comments in bitmap
> set(although the comments will be ignored eventually), the element will
> vanish strangely. Because we treate the element key as a u32 integer, so
> the comments will become the part of the element key, then the element
> key will also be larger than 65535 and out of bound access will happen:
> # nft add element t s { 1 comment test }
Right, the userdata case is not handled properly. And in this case we
have no specific flag at set creation, so element comments may come
without previous notice via set flags.
I think we have to keep a list of dummy nft_set_ext that is only used
in the dump path, we can simplify this logic at the cost of increasing
memory consumption. Another alternative is to keep around a structure
to store only the set element userdata that we need for comments.
Let me think.
Your patches look good to me. Probably we can skip 2/2 if we introduce
the dummy nft_set_ext list, and remove the ->flush field for
nft_set_iter.
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
