mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-04 08:08:54 +00:00
netfilter: nft_set_rbtree: bogus lookup/get on consecutive elements in named sets
[ Upstream commitdb3b665dd7
] The existing rbtree implementation might store consecutive elements where the closing element and the opening element might overlap, eg. [ a, a+1) [ a+1, a+2) This patch removes the optimization for non-anonymous sets in the exact matching case, where it is assumed to stop searching in case that the closing element is found. Instead, invalidate candidate interval and keep looking further in the tree. The lookup/get operation might return false, while there is an element in the rbtree. Moreover, the get operation returns true as if a+2 would be in the tree. This happens with named sets after several set updates. The existing lookup optimization (that only works for the anonymous sets) might not reach the opening [ a+1,... element if the closing ...,a+1) is found in first place when walking over the rbtree. Hence, walking the full tree in that case is needed. This patch fixes the lookup and get operations. Fixes:e701001e7c
("netfilter: nft_rbtree: allow adjacent intervals with dynamic updates") Fixes:ba0e4d9917
("netfilter: nf_tables: get set elements via netlink") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
parent
17a7f9d865
commit
495258074d
1 changed files with 16 additions and 5 deletions
|
@ -74,8 +74,13 @@ static bool __nft_rbtree_lookup(const struct net *net, const struct nft_set *set
|
|||
parent = rcu_dereference_raw(parent->rb_left);
|
||||
continue;
|
||||
}
|
||||
if (nft_rbtree_interval_end(rbe))
|
||||
goto out;
|
||||
if (nft_rbtree_interval_end(rbe)) {
|
||||
if (nft_set_is_anonymous(set))
|
||||
return false;
|
||||
parent = rcu_dereference_raw(parent->rb_left);
|
||||
interval = NULL;
|
||||
continue;
|
||||
}
|
||||
|
||||
*ext = &rbe->ext;
|
||||
return true;
|
||||
|
@ -88,7 +93,7 @@ static bool __nft_rbtree_lookup(const struct net *net, const struct nft_set *set
|
|||
*ext = &interval->ext;
|
||||
return true;
|
||||
}
|
||||
out:
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
|
@ -139,8 +144,10 @@ static bool __nft_rbtree_get(const struct net *net, const struct nft_set *set,
|
|||
if (flags & NFT_SET_ELEM_INTERVAL_END)
|
||||
interval = rbe;
|
||||
} else {
|
||||
if (!nft_set_elem_active(&rbe->ext, genmask))
|
||||
if (!nft_set_elem_active(&rbe->ext, genmask)) {
|
||||
parent = rcu_dereference_raw(parent->rb_left);
|
||||
continue;
|
||||
}
|
||||
|
||||
if (!nft_set_ext_exists(&rbe->ext, NFT_SET_EXT_FLAGS) ||
|
||||
(*nft_set_ext_flags(&rbe->ext) & NFT_SET_ELEM_INTERVAL_END) ==
|
||||
|
@ -148,7 +155,11 @@ static bool __nft_rbtree_get(const struct net *net, const struct nft_set *set,
|
|||
*elem = rbe;
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
|
||||
if (nft_rbtree_interval_end(rbe))
|
||||
interval = NULL;
|
||||
|
||||
parent = rcu_dereference_raw(parent->rb_left);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue