netfilter: nft_set_hash: disable fast_ops for 2-len keys
Closes: #880145
This commit is contained in:
parent
4b0df3bed7
commit
e7fd57b49f
|
@ -50,6 +50,7 @@ linux (4.13.11-1) UNRELEASED; urgency=medium
|
|||
[ Salvatore Bonaccorso ]
|
||||
* cifs: check MaxPathNameComponentLength != 0 before using it.
|
||||
Thanks to Andrew Chadwick (Closes: #880504)
|
||||
* netfilter: nft_set_hash: disable fast_ops for 2-len keys (Closes: #880145)
|
||||
|
||||
-- Salvatore Bonaccorso <carnil@debian.org> Sat, 04 Nov 2017 09:54:41 +0100
|
||||
|
||||
|
|
57
debian/patches/bugfix/all/netfilter-nft_set_hash-disable-fast_ops-for-2-len-ke.patch
vendored
Normal file
57
debian/patches/bugfix/all/netfilter-nft_set_hash-disable-fast_ops-for-2-len-ke.patch
vendored
Normal file
|
@ -0,0 +1,57 @@
|
|||
From: Anatole Denis <anatole@rezel.net>
|
||||
Date: Wed, 4 Oct 2017 01:17:14 +0100
|
||||
Subject: netfilter: nft_set_hash: disable fast_ops for 2-len keys
|
||||
Origin: https://git.kernel.org/linus/0414c78f14861cb704d6e6888efd53dd36e3bdde
|
||||
Bug-Debian: https://bugs.debian.org/880145
|
||||
|
||||
jhash_1word of a u16 is a different value from jhash of the same u16 with
|
||||
length 2.
|
||||
Since elements are always inserted in sets using jhash over the actual
|
||||
klen, this would lead to incorrect lookups on fixed-size sets with a key
|
||||
length of 2, as they would be inserted with hash value jhash(key, 2) and
|
||||
looked up with hash value jhash_1word(key), which is different.
|
||||
|
||||
Example reproducer(v4.13+), using anonymous sets which always have a
|
||||
fixed size:
|
||||
|
||||
table inet t {
|
||||
chain c {
|
||||
type filter hook output priority 0; policy accept;
|
||||
tcp dport { 10001, 10003, 10005, 10007, 10009 } counter packets 4 bytes 240 reject
|
||||
tcp dport 10001 counter packets 4 bytes 240 reject
|
||||
tcp dport 10003 counter packets 4 bytes 240 reject
|
||||
tcp dport 10005 counter packets 4 bytes 240 reject
|
||||
tcp dport 10007 counter packets 0 bytes 0 reject
|
||||
tcp dport 10009 counter packets 4 bytes 240 reject
|
||||
}
|
||||
}
|
||||
|
||||
then use nc -z localhost <port> to probe; incorrectly hashed ports will
|
||||
pass through the set lookup and increment the counter of an individual
|
||||
rule.
|
||||
|
||||
jhash being seeded with a random value, it is not deterministic which
|
||||
ports will incorrectly hash, but in testing with 5 ports in the set I
|
||||
always had 4 or 5 with an incorrect hash value.
|
||||
|
||||
Signed-off-by: Anatole Denis <anatole@rezel.net>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
net/netfilter/nft_set_hash.c | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
|
||||
index 0fa01d772c5e..9c0d5a7ce5f9 100644
|
||||
--- a/net/netfilter/nft_set_hash.c
|
||||
+++ b/net/netfilter/nft_set_hash.c
|
||||
@@ -643,7 +643,6 @@ nft_hash_select_ops(const struct nft_ctx *ctx, const struct nft_set_desc *desc,
|
||||
{
|
||||
if (desc->size) {
|
||||
switch (desc->klen) {
|
||||
- case 2:
|
||||
case 4:
|
||||
return &nft_hash_fast_ops;
|
||||
default:
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -79,6 +79,7 @@ bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
|
|||
bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
|
||||
bugfix/all/bfq-re-enable-auto-loading-when-built-as-a-module.patch
|
||||
bugfix/all/cifs-check-MaxPathNameComponentLength-0-before-using.patch
|
||||
bugfix/all/netfilter-nft_set_hash-disable-fast_ops-for-2-len-ke.patch
|
||||
|
||||
# Miscellaneous features
|
||||
|
||||
|
|
Loading…
Reference in New Issue