netfilter: ipset: fix hash size checking in kernel

[linux-flexiantxendom0-3.2.10.git] / net / netfilter / ipset / ip_set_hash_ip.c

diff --git a/net/netfilter/ipset/ip_set_hash_ip.c b/net/netfilter/ipset/ip_set_hash_ip.c
index c99e861..828ce46 100644 (file)
--- a/net/netfilter/ipset/ip_set_hash_ip.c
+++ b/net/netfilter/ipset/ip_set_hash_ip.c
@@ -53,7 +53,8 @@ struct hash_ip4_telem {
 
 static inline bool
 hash_ip4_data_equal(const struct hash_ip4_elem *ip1,
-                   const struct hash_ip4_elem *ip2)
+                   const struct hash_ip4_elem *ip2,
+                   u32 *multi)
 {
        return ip1->ip == ip2->ip;
 }
@@ -116,6 +117,7 @@ hash_ip4_data_next(struct ip_set_hash *h, const struct hash_ip4_elem *d)
 
 static int
 hash_ip4_kadt(struct ip_set *set, const struct sk_buff *skb,
+             const struct xt_action_param *par,
              enum ipset_adt adt, const struct ip_set_adt_opt *opt)
 {
        const struct ip_set_hash *h = set->data;
@@ -177,8 +179,7 @@ hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[],
 
                if (cidr > 32)
                        return -IPSET_ERR_INVALID_CIDR;
-               ip &= ip_set_hostmask(cidr);
-               ip_to = ip | ~ip_set_hostmask(cidr);
+               ip_set_mask_from_to(ip, ip_to, cidr);
        } else
                ip_to = ip;
 
@@ -225,7 +226,8 @@ struct hash_ip6_telem {
 
 static inline bool
 hash_ip6_data_equal(const struct hash_ip6_elem *ip1,
-                   const struct hash_ip6_elem *ip2)
+                   const struct hash_ip6_elem *ip2,
+                   u32 *multi)
 {
        return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0;
 }
@@ -239,7 +241,7 @@ hash_ip6_data_isnull(const struct hash_ip6_elem *elem)
 static inline void
 hash_ip6_data_copy(struct hash_ip6_elem *dst, const struct hash_ip6_elem *src)
 {
-       ipv6_addr_copy(&dst->ip.in6, &src->ip.in6);
+       dst->ip.in6 = src->ip.in6;
 }
 
 static inline void
@@ -296,6 +298,7 @@ hash_ip6_data_next(struct ip_set_hash *h, const struct hash_ip6_elem *d)
 
 static int
 hash_ip6_kadt(struct ip_set *set, const struct sk_buff *skb,
+             const struct xt_action_param *par,
              enum ipset_adt adt, const struct ip_set_adt_opt *opt)
 {
        const struct ip_set_hash *h = set->data;
@@ -361,13 +364,14 @@ hash_ip_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
 {
        u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
        u8 netmask, hbits;
+       size_t hsize;
        struct ip_set_hash *h;
 
-       if (!(set->family == AF_INET || set->family == AF_INET6))
+       if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
                return -IPSET_ERR_INVALID_FAMILY;
-       netmask = set->family == AF_INET ? 32 : 128;
+       netmask = set->family == NFPROTO_IPV4 ? 32 : 128;
        pr_debug("Create set %s with family %s\n",
-                set->name, set->family == AF_INET ? "inet" : "inet6");
+                set->name, set->family == NFPROTO_IPV4 ? "inet" : "inet6");
 
        if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
                     !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) ||
@@ -386,8 +390,8 @@ hash_ip_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
        if (tb[IPSET_ATTR_NETMASK]) {
                netmask = nla_get_u8(tb[IPSET_ATTR_NETMASK]);
 
-               if ((set->family == AF_INET && netmask > 32) ||
-                   (set->family == AF_INET6 && netmask > 128) ||
+               if ((set->family == NFPROTO_IPV4 && netmask > 32) ||
+                   (set->family == NFPROTO_IPV6 && netmask > 128) ||
                    netmask == 0)
                        return -IPSET_ERR_INVALID_NETMASK;
        }
@@ -402,9 +406,12 @@ hash_ip_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
        h->timeout = IPSET_NO_TIMEOUT;
 
        hbits = htable_bits(hashsize);
-       h->table = ip_set_alloc(
-                       sizeof(struct htable)
-                       + jhash_size(hbits) * sizeof(struct hbucket));
+       hsize = htable_size(hbits);
+       if (hsize == 0) {
+               kfree(h);
+               return -ENOMEM;
+       }
+       h->table = ip_set_alloc(hsize);
        if (!h->table) {
                kfree(h);
                return -ENOMEM;
@@ -416,15 +423,15 @@ hash_ip_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
        if (tb[IPSET_ATTR_TIMEOUT]) {
                h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 
-               set->variant = set->family == AF_INET
+               set->variant = set->family == NFPROTO_IPV4
                        ? &hash_ip4_tvariant : &hash_ip6_tvariant;
 
-               if (set->family == AF_INET)
+               if (set->family == NFPROTO_IPV4)
                        hash_ip4_gc_init(set);
                else
                        hash_ip6_gc_init(set);
        } else {
-               set->variant = set->family == AF_INET
+               set->variant = set->family == NFPROTO_IPV4
                        ? &hash_ip4_variant : &hash_ip6_variant;
        }
 
@@ -440,8 +447,9 @@ static struct ip_set_type hash_ip_type __read_mostly = {
        .protocol       = IPSET_PROTOCOL,
        .features       = IPSET_TYPE_IP,
        .dimension      = IPSET_DIM_ONE,
-       .family         = AF_UNSPEC,
-       .revision       = 0,
+       .family         = NFPROTO_UNSPEC,
+       .revision_min   = 0,
+       .revision_max   = 0,
        .create         = hash_ip_create,
        .create_policy  = {
                [IPSET_ATTR_HASHSIZE]   = { .type = NLA_U32 },