Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

Pable Neira Ayuso says: ==================== The following patchset contains Netfilter fixes for net: 1) Increase timeout to 120 seconds for netfilter selftests to fix nftables transaction tests, from Florian Westphal. 2) Fix overflow in bitmap_ip_create() due to integer arithmetics in a 64-bit bitmask, from Gavrilov Ilia. 3) Fix incorrect arithmetics in nft_payload with double-tagged vlan matching. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2025-01-07 14:32:23 +00:00 · 2023-01-16 13:10:16 +00:00 · 2023-01-16 13:10:16 +00:00 · 21705c7719
commit 21705c7719
parent c296c77efb 696e1a48b1
4 changed files with 13 additions and 10 deletions
--- a/net/netfilter/ipset/ip_set_bitmap_ip.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
@ -308,8 +308,8 @@ bitmap_ip_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
 			return -IPSET_ERR_BITMAP_RANGE;

 		pr_debug("mask_bits %u, netmask %u\n", mask_bits, netmask);
-		hosts = 2 << (32 - netmask - 1);
-		elements = 2 << (netmask - mask_bits - 1);
+		hosts = 2U << (32 - netmask - 1);
+		elements = 2UL << (netmask - mask_bits - 1);
 	}
 	if (elements > IPSET_BITMAP_MAX_RANGE + 1)
 		return -IPSET_ERR_BITMAP_RANGE_SIZE;
--- a/net/netfilter/nft_payload.c
+++ b/net/netfilter/nft_payload.c
@ -63,7 +63,7 @@ nft_payload_copy_vlan(u32 *d, const struct sk_buff *skb, u8 offset, u8 len)
 			return false;

 		if (offset + len > VLAN_ETH_HLEN + vlan_hlen)
-			ethlen -= offset + len - VLAN_ETH_HLEN + vlan_hlen;
+			ethlen -= offset + len - VLAN_ETH_HLEN - vlan_hlen;

 		memcpy(dst_u8, vlanh + offset - vlan_hlen, ethlen);

--- a/tools/testing/selftests/netfilter/nft_trans_stress.sh
+++ b/tools/testing/selftests/netfilter/nft_trans_stress.sh
@ -10,12 +10,20 @@
 ksft_skip=4

 testns=testns-$(mktemp -u "XXXXXXXX")
+tmp=""

 tables="foo bar baz quux"
 global_ret=0
 eret=0
 lret=0

+cleanup() {
+	ip netns pids "$testns" | xargs kill 2>/dev/null
+	ip netns del "$testns"
+
+	rm -f "$tmp"
+}
+
 check_result()
 {
 	local r=$1
@ -43,6 +51,7 @@ if [ $? -ne 0 ];then
 	exit $ksft_skip
 fi

+trap cleanup EXIT
 tmp=$(mktemp)

 for table in $tables; do
@ -139,11 +148,4 @@ done

 check_result $lret "add/delete with nftrace enabled"

-pkill -9 ping
-
-wait
-
-rm -f "$tmp"
-ip netns del "$testns"
-
 exit $global_ret
--- a/tools/testing/selftests/netfilter/settings
+++ b/tools/testing/selftests/netfilter/settings
@ -0,0 +1 @@
+timeout=120