netfilter: ipset: fix hash size checking in kernel

[linux-flexiantxendom0-3.2.10.git] / net / netfilter / ipset / ip_set_hash_netiface.c

diff --git a/net/netfilter/ipset/ip_set_hash_netiface.c b/net/netfilter/ipset/ip_set_hash_netiface.c
index e13095d..33bafc9 100644 (file)
--- a/net/netfilter/ipset/ip_set_hash_netiface.c
+++ b/net/netfilter/ipset/ip_set_hash_netiface.c
@@ -163,7 +163,8 @@ struct hash_netiface4_elem_hashed {
        __be32 ip;
        u8 physdev;
        u8 cidr;
-       u16 padding;
+       u8 nomatch;
+       u8 padding;
 };
 
 #define HKEY_DATALEN   sizeof(struct hash_netiface4_elem_hashed)
@@ -173,7 +174,8 @@ struct hash_netiface4_elem {
        __be32 ip;
        u8 physdev;
        u8 cidr;
-       u16 padding;
+       u8 nomatch;
+       u8 padding;
        const char *iface;
 };
 
@@ -182,7 +184,8 @@ struct hash_netiface4_telem {
        __be32 ip;
        u8 physdev;
        u8 cidr;
-       u16 padding;
+       u8 nomatch;
+       u8 padding;
        const char *iface;
        unsigned long timeout;
 };
@@ -207,11 +210,25 @@ hash_netiface4_data_isnull(const struct hash_netiface4_elem *elem)
 
 static inline void
 hash_netiface4_data_copy(struct hash_netiface4_elem *dst,
-                        const struct hash_netiface4_elem *src) {
+                        const struct hash_netiface4_elem *src)
+{
        dst->ip = src->ip;
        dst->cidr = src->cidr;
        dst->physdev = src->physdev;
        dst->iface = src->iface;
+       dst->nomatch = src->nomatch;
+}
+
+static inline void
+hash_netiface4_data_flags(struct hash_netiface4_elem *dst, u32 flags)
+{
+       dst->nomatch = flags & IPSET_FLAG_NOMATCH;
+}
+
+static inline bool
+hash_netiface4_data_match(const struct hash_netiface4_elem *elem)
+{
+       return !elem->nomatch;
 }
 
 static inline void
@@ -233,11 +250,13 @@ hash_netiface4_data_list(struct sk_buff *skb,
 {
        u32 flags = data->physdev ? IPSET_FLAG_PHYSDEV : 0;
 
+       if (data->nomatch)
+               flags |= IPSET_FLAG_NOMATCH;
        NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip);
        NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr);
        NLA_PUT_STRING(skb, IPSET_ATTR_IFACE, data->iface);
        if (flags)
-               NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, flags);
+               NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags));
        return 0;
 
 nla_put_failure:
@@ -252,11 +271,13 @@ hash_netiface4_data_tlist(struct sk_buff *skb,
                (const struct hash_netiface4_telem *)data;
        u32 flags = data->physdev ? IPSET_FLAG_PHYSDEV : 0;
 
+       if (data->nomatch)
+               flags |= IPSET_FLAG_NOMATCH;
        NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip);
        NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr);
        NLA_PUT_STRING(skb, IPSET_ATTR_IFACE, data->iface);
        if (flags)
-               NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, flags);
+               NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags));
        NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
                      htonl(ip_set_timeout_get(tdata->timeout)));
 
@@ -361,7 +382,7 @@ hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[],
 
        if (tb[IPSET_ATTR_CIDR]) {
                data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
-               if (!data.cidr)
+               if (!data.cidr || data.cidr > HOST_MASK)
                        return -IPSET_ERR_INVALID_CIDR;
        }
 
@@ -387,6 +408,8 @@ hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[],
                u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
                if (cadt_flags & IPSET_FLAG_PHYSDEV)
                        data.physdev = 1;
+               if (adt == IPSET_ADD && (cadt_flags & IPSET_FLAG_NOMATCH))
+                       flags |= (cadt_flags << 16);
        }
 
        if (adt == IPSET_TEST || !tb[IPSET_ATTR_IP_TO]) {
@@ -440,7 +463,8 @@ struct hash_netiface6_elem_hashed {
        union nf_inet_addr ip;
        u8 physdev;
        u8 cidr;
-       u16 padding;
+       u8 nomatch;
+       u8 padding;
 };
 
 #define HKEY_DATALEN   sizeof(struct hash_netiface6_elem_hashed)
@@ -449,7 +473,8 @@ struct hash_netiface6_elem {
        union nf_inet_addr ip;
        u8 physdev;
        u8 cidr;
-       u16 padding;
+       u8 nomatch;
+       u8 padding;
        const char *iface;
 };
 
@@ -457,7 +482,8 @@ struct hash_netiface6_telem {
        union nf_inet_addr ip;
        u8 physdev;
        u8 cidr;
-       u16 padding;
+       u8 nomatch;
+       u8 padding;
        const char *iface;
        unsigned long timeout;
 };
@@ -488,8 +514,21 @@ hash_netiface6_data_copy(struct hash_netiface6_elem *dst,
 }
 
 static inline void
+hash_netiface6_data_flags(struct hash_netiface6_elem *dst, u32 flags)
+{
+       dst->nomatch = flags & IPSET_FLAG_NOMATCH;
+}
+
+static inline bool
+hash_netiface6_data_match(const struct hash_netiface6_elem *elem)
+{
+       return !elem->nomatch;
+}
+
+static inline void
 hash_netiface6_data_zero_out(struct hash_netiface6_elem *elem)
 {
+       elem->cidr = 0;
 }
 
 static inline void
@@ -514,11 +553,13 @@ hash_netiface6_data_list(struct sk_buff *skb,
 {
        u32 flags = data->physdev ? IPSET_FLAG_PHYSDEV : 0;
 
+       if (data->nomatch)
+               flags |= IPSET_FLAG_NOMATCH;
        NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &data->ip);
        NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr);
        NLA_PUT_STRING(skb, IPSET_ATTR_IFACE, data->iface);
        if (flags)
-               NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, flags);
+               NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags));
        return 0;
 
 nla_put_failure:
@@ -533,11 +574,13 @@ hash_netiface6_data_tlist(struct sk_buff *skb,
                (const struct hash_netiface6_telem *)data;
        u32 flags = data->physdev ? IPSET_FLAG_PHYSDEV : 0;
 
+       if (data->nomatch)
+               flags |= IPSET_FLAG_NOMATCH;
        NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &e->ip);
        NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr);
        NLA_PUT_STRING(skb, IPSET_ATTR_IFACE, data->iface);
        if (flags)
-               NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, flags);
+               NLA_PUT_NET32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags));
        NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
                      htonl(ip_set_timeout_get(e->timeout)));
        return 0;
@@ -636,7 +679,7 @@ hash_netiface6_uadt(struct ip_set *set, struct nlattr *tb[],
 
        if (tb[IPSET_ATTR_CIDR])
                data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
-       if (!data.cidr)
+       if (!data.cidr || data.cidr > HOST_MASK)
                return -IPSET_ERR_INVALID_CIDR;
        ip6_netmask(&data.ip, data.cidr);
 
@@ -662,6 +705,8 @@ hash_netiface6_uadt(struct ip_set *set, struct nlattr *tb[],
                u32 cadt_flags = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
                if (cadt_flags & IPSET_FLAG_PHYSDEV)
                        data.physdev = 1;
+               if (adt == IPSET_ADD && (cadt_flags & IPSET_FLAG_NOMATCH))
+                       flags |= (cadt_flags << 16);
        }
 
        ret = adtfn(set, &data, timeout, flags);
@@ -677,8 +722,9 @@ hash_netiface_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
        struct ip_set_hash *h;
        u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
        u8 hbits;
+       size_t hsize;
 
-       if (!(set->family == AF_INET || set->family == AF_INET6))
+       if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
                return -IPSET_ERR_INVALID_FAMILY;
 
        if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
@@ -697,7 +743,7 @@ hash_netiface_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
 
        h = kzalloc(sizeof(*h)
                    + sizeof(struct ip_set_hash_nets)
-                     * (set->family == AF_INET ? 32 : 128), GFP_KERNEL);
+                     * (set->family == NFPROTO_IPV4 ? 32 : 128), GFP_KERNEL);
        if (!h)
                return -ENOMEM;
 
@@ -707,9 +753,12 @@ hash_netiface_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
        h->ahash_max = AHASH_MAX_SIZE;
 
        hbits = htable_bits(hashsize);
-       h->table = ip_set_alloc(
-                       sizeof(struct htable)
-                       + jhash_size(hbits) * sizeof(struct hbucket));
+       hsize = htable_size(hbits);
+       if (hsize == 0) {
+               kfree(h);
+               return -ENOMEM;
+       }
+       h->table = ip_set_alloc(hsize);
        if (!h->table) {
                kfree(h);
                return -ENOMEM;
@@ -722,15 +771,15 @@ hash_netiface_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
        if (tb[IPSET_ATTR_TIMEOUT]) {
                h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 
-               set->variant = set->family == AF_INET
+               set->variant = set->family == NFPROTO_IPV4
                        ? &hash_netiface4_tvariant : &hash_netiface6_tvariant;
 
-               if (set->family == AF_INET)
+               if (set->family == NFPROTO_IPV4)
                        hash_netiface4_gc_init(set);
                else
                        hash_netiface6_gc_init(set);
        } else {
-               set->variant = set->family == AF_INET
+               set->variant = set->family == NFPROTO_IPV4
                        ? &hash_netiface4_variant : &hash_netiface6_variant;
        }
 
@@ -746,8 +795,9 @@ static struct ip_set_type hash_netiface_type __read_mostly = {
        .protocol       = IPSET_PROTOCOL,
        .features       = IPSET_TYPE_IP | IPSET_TYPE_IFACE,
        .dimension      = IPSET_DIM_TWO,
-       .family         = AF_UNSPEC,
+       .family         = NFPROTO_UNSPEC,
        .revision_min   = 0,
+       .revision_max   = 1,    /* nomatch flag support added */
        .create         = hash_netiface_create,
        .create_policy  = {
                [IPSET_ATTR_HASHSIZE]   = { .type = NLA_U32 },