diff options
| author | Jozsef Kadlecsik <kadlec@netfilter.org> | 2021-07-28 17:01:15 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2022-12-02 17:40:00 +0100 |
| commit | e62e62ea912a49f7230620f1bdc20410b943a44c (patch) | |
| tree | f5b2941a46302f7650cb17b5422cb82ee17515f0 /include | |
| parent | 8dca384970acd94dd88aee60b1264e81e48d4ad1 (diff) | |
| download | linux-e62e62ea912a49f7230620f1bdc20410b943a44c.tar.gz linux-e62e62ea912a49f7230620f1bdc20410b943a44c.tar.bz2 linux-e62e62ea912a49f7230620f1bdc20410b943a44c.zip | |
netfilter: ipset: Limit the maximal range of consecutive elements to add/delete
[ Upstream commit 5f7b51bf09baca8e4f80cbe879536842bafb5f31 ]
The range size of consecutive elements were not limited. Thus one could
define a huge range which may result soft lockup errors due to the long
execution time. Now the range size is limited to 2^20 entries.
Reported-by: Brad Spengler <spender@grsecurity.net>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: c7aa1a76d4a0 ("netfilter: ipset: regression in ip_set_hash_ip.c")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'include')
| -rw-r--r-- | include/linux/netfilter/ipset/ip_set.h | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h index ab192720e2d6..53c9a17ecb3e 100644 --- a/include/linux/netfilter/ipset/ip_set.h +++ b/include/linux/netfilter/ipset/ip_set.h @@ -198,6 +198,9 @@ struct ip_set_region { u32 elements; /* Number of elements vs timeout */ }; +/* Max range where every element is added/deleted in one step */ +#define IPSET_MAX_RANGE (1<<20) + /* The core set type structure */ struct ip_set_type { struct list_head list; |