From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
To: Andreas Herz <andi@geekosphere.org>
Cc: netfilter@vger.kernel.org
Subject: Re: Bug in ipset with big timeouts
Date: Fri, 20 Apr 2012 15:31:57 +0200 (CEST) [thread overview]
Message-ID: <alpine.DEB.2.00.1204201531010.1373@blackhole.kfki.hu> (raw)
In-Reply-To: <20120419124750.GA22975@sweethome.fritz.box>
Hi,
On Thu, 19 Apr 2012, Andreas Herz wrote:
> If you create sets or add an element with a big timeout this can result
> in a wrong timeout or even no entry. This occurs on 32 and 64 Bit and
> the problem comes from the msecs_to_jiffies function. But first the
> steps to reproduce the bug:
>
> x86_64/amd64:
>
> > ipset create test1 hash:net timeout 4294967
> > ipset create test2 hash:net timeout 4294968
> > ipset add test1 192.168.0.0/24
> > ipset add test2 192.168.0.0/24
> > ipset list
>
> this will result in an empty test2 set and in an test1 set with the
> entry and correct timeout.
>
> Another example
>
> > ipset create test hash:net timeout 1
> > ipset add test 192.168.0.0/24 timeout 4294968
> > ipset list
>
> empty list, but
>
> > ipset add test 192.168.0.0/24 timeout 42949680
> > ipset list
>
> results in
>
> > 192.168.0.0/24 timeout 5
>
> so an overflow.
>
> x86/32-Bit:
>
> > ipset create test hash:net timeout 1000
> > ipset add test 192.168.0.0/24 timeout 2147484
> > ipset list
>
> results in:
>
> > 192.168.0.0/24 timeout 1073741
>
> it's working up to 2147483.
>
> This is imho a bug as ipset says
>
> > ipset v6.11: Syntax error: '4294967296' is out of range 0-4294967295
>
> so 4294967295 should be the maximum and it isn't.
>
> I checked the source code and i think the following fix could help:
>
> in kernel/include/linux/netfilter/ipset/ip_set_timeout.h the
> ip_set_timeout_set needs to look like this:
>
> > if ((timeout > (INT_MAX/1000)) || ((int)(timeout*1000) < 0)) timeout =
> > (INT_MAX/1000);
> > t = msecs_to_jiffies(timeout * 1000) + jiffies;
>
> I added this if clause so "t" won't get bigger then 2147483 (32-Bit) or
> 4294967 (64-Bit). The problem is, that msecs_to_jiffies() returns
> "MAX_JIFFY_OFFSET" in the case mentioned at 32-Bit, this explains the
> 1073741 value. And with the other values there is an overflow. My fix
> may be wrong, so no guarantee, i'm still testing around and the overflow
> isn't clear to me right now, i just figured out the problem with
> "MAX_JIFFY_OFFSET".
It looks like a bug, I'm going to fix it at the weekend. A new ipset
release is to be expected...
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
H-1525 Budapest 114, POB. 49, Hungary
prev parent reply other threads:[~2012-04-20 13:31 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-19 12:47 Bug in ipset with big timeouts Andreas Herz
2012-04-20 13:31 ` Jozsef Kadlecsik [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.DEB.2.00.1204201531010.1373@blackhole.kfki.hu \
--to=kadlec@blackhole.kfki.hu \
--cc=andi@geekosphere.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.