On Fri, 2017-12-22 at 09:46 +0100, Greg Kroah-Hartman wrote:
> 4.4-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
>
>
> [ Upstream commit 2c422257550f123049552b39f7af6e3428a60f43 ]
>
> We only allow runtime updates of expectation policies for timeout and
> maximum number of expectations, otherwise reject the update.
[...]
> +static int nfnl_cthelper_update_policy_all(struct nlattr *tb[],
> + struct nf_conntrack_helper *helper)
> +{
> + struct nf_conntrack_expect_policy new_policy[helper->expect_class_max + 1];
> + struct nf_conntrack_expect_policy *policy;
> + int i, err;
> +
> + /* Check first that all policy attributes are well-formed, so we don't
> + * leave things in inconsistent state on errors.
> + */
> + for (i = 0; i < helper->expect_class_max + 1; i++) {
> +
> + if (!tb[NFCTH_POLICY_SET + i])
> + return -EINVAL;
> +
> + err = nfnl_cthelper_update_policy_one(&helper->expect_policy[i],
> + &new_policy[i],
> + tb[NFCTH_POLICY_SET + i]);
> + if (err < 0)
> + return err;
> + }
> + /* Now we can safely update them. */
> + for (i = 0; i < helper->expect_class_max + 1; i++) {
> + policy = (struct nf_conntrack_expect_policy *)
> + &helper->expect_policy[i];
> + policy->max_expected = new_policy->max_expected;
> + policy->timeout = new_policy->timeout;
[...]
Shouldn't the RHS of these two assignments use new_policy[i]?
Ben.
--
Ben Hutchings
Software Developer, Codethink Ltd.