Limit max timeout value to (UINT_MAX >> 1)/MSEC_PER_SEC

Due to the negative value condition in msecs_to_jiffies(), the real
max possible timeout value must be set to (UINT_MAX >> 1)/MSEC_PER_SEC.

Neutron Soutmun proposed the proper fix, but an insufficient one was
applied, see https://patchwork.ozlabs.org/patch/400405/.

diff --git a/kernel/include/linux/netfilter/ipset/ip_set_timeout.h b/kernel/include/linux/netfilter/ipset/ip_set_timeout.h
index 7ad8ddf9ca8a412cd69096c5780a510470b06778..8ce271e187b62f034e6b49140f81e5a8b0d90119 100644 (file)
--- a/kernel/include/linux/netfilter/ipset/ip_set_timeout.h
+++ b/kernel/include/linux/netfilter/ipset/ip_set_timeout.h
@@ -23,6 +23,9 @@
 /* Set is defined with timeout support: timeout value may be 0 */
 #define IPSET_NO_TIMEOUT       UINT_MAX
 
+/* Max timeout value, see msecs_to_jiffies() in jiffies.h */
+#define IPSET_MAX_TIMEOUT      (UINT_MAX >> 1)/MSEC_PER_SEC
+
 #define ip_set_adt_opt_timeout(opt, set)       \
 ((opt)->ext.timeout != IPSET_NO_TIMEOUT ? (opt)->ext.timeout : (set)->timeout)
 
@@ -32,11 +35,10 @@ ip_set_timeout_uget(struct nlattr *tb)
        unsigned int timeout = ip_set_get_h32(tb);
 
        /* Normalize to fit into jiffies */
-       if (timeout > UINT_MAX/MSEC_PER_SEC)
-               timeout = UINT_MAX/MSEC_PER_SEC;
+       if (timeout > IPSET_MAX_TIMEOUT)
+               timeout = IPSET_MAX_TIMEOUT;
 
-       /* Userspace supplied TIMEOUT parameter: adjust crazy size */
-       return timeout == IPSET_NO_TIMEOUT ? IPSET_NO_TIMEOUT - 1 : timeout;
+       return timeout;
 }
 
 static inline bool

diff --git a/kernel/net/netfilter/xt_set.c b/kernel/net/netfilter/xt_set.c
index f10c6de8e0c0c327644c2627ef83ba8f78f68017..43e54efe6c76f887cbffb114ad2a75ebee98e9f2 100644 (file)
--- a/kernel/net/netfilter/xt_set.c
+++ b/kernel/net/netfilter/xt_set.c
@@ -407,8 +407,8 @@ set_target_v2(struct sk_buff *skb, const struct xt_action_param *par)
 
        /* Normalize to fit into jiffies */
        if (add_opt.ext.timeout != IPSET_NO_TIMEOUT &&
-           add_opt.ext.timeout > UINT_MAX / MSEC_PER_SEC)
-               add_opt.ext.timeout = UINT_MAX / MSEC_PER_SEC;
+           add_opt.ext.timeout > IPSET_MAX_TIMEOUT)
+               add_opt.ext.timeout = IPSET_MAX_TIMEOUT;
        if (info->add_set.index != IPSET_INVALID_ID)
                ip_set_add(info->add_set.index, skb, CAST_TO_MATCH par,
                           &add_opt);
@@ -444,8 +444,8 @@ set_target_v3(struct sk_buff *skb, const struct xt_action_param *par)
 
        /* Normalize to fit into jiffies */
        if (add_opt.ext.timeout != IPSET_NO_TIMEOUT &&
-           add_opt.ext.timeout > UINT_MAX / MSEC_PER_SEC)
-               add_opt.ext.timeout = UINT_MAX / MSEC_PER_SEC;
+           add_opt.ext.timeout > IPSET_MAX_TIMEOUT)
+               add_opt.ext.timeout = IPSET_MAX_TIMEOUT;
        if (info->add_set.index != IPSET_INVALID_ID)
                ip_set_add(info->add_set.index, skb, CAST_TO_MATCH par,
                           &add_opt);

diff --git a/lib/parse.c b/lib/parse.c
index 7cd643632be84d3d5aa4a53974232768871b8efc..9a79ccda796c4ccf18c61200801c888b1e648582 100644 (file)
--- a/lib/parse.c
+++ b/lib/parse.c
@@ -1334,7 +1334,7 @@ ipset_parse_timeout(struct ipset_session *session,
        assert(opt == IPSET_OPT_TIMEOUT);
        assert(str);
 
-       err = string_to_number_ll(session, str, 0, UINT_MAX/1000, &llnum);
+       err = string_to_number_ll(session, str, 0, (UINT_MAX>>1)/1000, &llnum);
        if (err == 0) {
                /* Timeout is expected to be 32bits wide, so we have
                   to convert it here */

diff --git a/src/ipset.8 b/src/ipset.8
index cd8c3ad0b0dd9095e7cdd6b24a60333d30f8baed..87fb93814ddc47866fa553a1321271ed3de8e837 100644 (file)
--- a/src/ipset.8
+++ b/src/ipset.8
@@ -271,7 +271,8 @@ for new entries. If a set is created with timeout support, then the same
 \fBtimeout\fR option can be used to specify non\-default timeout values
 when adding entries. Zero timeout value means the entry is added permanent to the set.
 The timeout value of already added elements can be changed by re-adding the element
-using the \fB\-exist\fR option. Example:
+using the \fB\-exist\fR option. The largest possible timeout value is 2147483
+(in seconds). Example:
 .IP
 ipset create test hash:ip timeout 300
 .IP