| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Z5lhkiWI9-nP9O1g@calendula>
Date: Wed, 29 Jan 2025 00:00:34 +0100
From: Pablo Neira Ayuso <pablo@...filter.org>
To: nicolas.bouchinet@...p-os.org
Cc: netdev@...r.kernel.org, netfilter-devel@...r.kernel.org,
coreteam@...filter.org
Subject: Re: [PATCH v1 1/9] sysctl: Fixes nf_conntrack_max bounds
Hi,
Please, collapse patch 1/9 and 2/9 and post it to
netfilter-devel@...r.kernel.org targeting at the nf-next tree.
Thanks.
On Mon, Jan 27, 2025 at 03:19:58PM +0100, nicolas.bouchinet@...p-os.org wrote:
> From: Nicolas Bouchinet <nicolas.bouchinet@....gouv.fr>
>
> Bound nf_conntrack_max sysctl writings between SYSCTL_ZERO
> and SYSCTL_INT_MAX.
>
> The proc_handler has thus been updated to proc_dointvec_minmax.
>
> Signed-off-by: Nicolas Bouchinet <nicolas.bouchinet@....gouv.fr>
> ---
> net/netfilter/nf_conntrack_standalone.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
> index 7d4f0fa8b609d..40ed3ef9cb22d 100644
> --- a/net/netfilter/nf_conntrack_standalone.c
> +++ b/net/netfilter/nf_conntrack_standalone.c
> @@ -619,7 +619,9 @@ static struct ctl_table nf_ct_sysctl_table[] = {
> .data = &nf_conntrack_max,
> .maxlen = sizeof(int),
> .mode = 0644,
> - .proc_handler = proc_dointvec,
> + .proc_handler = proc_dointvec_minmax,
> + .extra1 = SYSCTL_ZERO,
> + .extra2 = SYSCTL_INT_MAX,
> },
> [NF_SYSCTL_CT_COUNT] = {
> .procname = "nf_conntrack_count",
> @@ -948,7 +950,9 @@ static struct ctl_table nf_ct_netfilter_table[] = {
> .data = &nf_conntrack_max,
> .maxlen = sizeof(int),
> .mode = 0644,
> - .proc_handler = proc_dointvec,
> + .proc_handler = proc_dointvec_minmax,
> + .extra1 = SYSCTL_ZERO,
> + .extra2 = SYSCTL_INT_MAX,
> },
> };
>
> --
> 2.48.1
>
>
Powered by blists - more mailing lists