On Wed, Jan 11, 2023 at 11:57:39AM +0000, Gavrilov Ilia wrote: > [You don't often get email from ilia.gavrilov@xxxxxxxxxxx. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] > > When first_ip is 0, last_ip is 0xFFFFFFFF, and netmask is 31, the value of > an arithmetic expression 2 << (netmask - mask_bits - 1) is subject > to overflow due to a failure casting operands to a larger data type > before performing the arithmetic. > > Note that it's harmless since the value will be checked at the next step. > > Found by InfoTeCS on behalf of Linux Verification Center > (linuxtesting.org) with SVACE. > > Fixes: b9fed748185a ("netfilter: ipset: Check and reject crazy /0 input parameters") > Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@xxxxxxxxxxx> Reviewed-by: Simon Horman <simon.horman@xxxxxxxxxxxx> > --- > v2: Fix typo of the last_ip value in the description. Fix the expression for 'hosts'. > net/netfilter/ipset/ip_set_bitmap_ip.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c > index a8ce04a4bb72..e4fa00abde6a 100644 > --- a/net/netfilter/ipset/ip_set_bitmap_ip.c > +++ b/net/netfilter/ipset/ip_set_bitmap_ip.c > @@ -308,8 +308,8 @@ bitmap_ip_create(struct net *net, struct ip_set *set, struct nlattr *tb[], > return -IPSET_ERR_BITMAP_RANGE; > > pr_debug("mask_bits %u, netmask %u\n", mask_bits, netmask); > - hosts = 2 << (32 - netmask - 1); > - elements = 2 << (netmask - mask_bits - 1); > + hosts = 2U << (32 - netmask - 1); > + elements = 2UL << (netmask - mask_bits - 1); > } > if (elements > IPSET_BITMAP_MAX_RANGE + 1) > return -IPSET_ERR_BITMAP_RANGE_SIZE; > -- > 2.30.2
