[Devel] [PATCH RHEL7 COMMIT] ms/netfilter: nft_set_rbtree: bogus lookup/get on consecutive elements in named sets

Vasily Averin vvs at virtuozzo.com
Sun Dec 20 11:49:13 MSK 2020 

The commit is pushed to "branch-rh7-3.10.0-1160.11.1.vz7.172.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1160.11.1.vz7.172.1
------>
commit c8ec02a7c34e389e578c84d027a9e7dd132f106e
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Sun Dec 20 11:49:13 2020 +0300

    ms/netfilter: nft_set_rbtree: bogus lookup/get on consecutive elements in named sets
    
    The existing rbtree implementation might store consecutive elements
    where the closing element and the opening element might overlap, eg.
    
    	[ a, a+1) [ a+1, a+2)
    
    This patch removes the optimization for non-anonymous sets in the exact
    matching case, where it is assumed to stop searching in case that the
    closing element is found. Instead, invalidate candidate interval and
    keep looking further in the tree.
    
    The lookup/get operation might return false, while there is an element
    in the rbtree. Moreover, the get operation returns true as if a+2 would
    be in the tree. This happens with named sets after several set updates.
    
    The existing lookup optimization (that only works for the anonymous
    sets) might not reach the opening [ a+1,... element if the closing
    ...,a+1) is found in first place when walking over the rbtree. Hence,
    walking the full tree in that case is needed.
    
    This patch fixes the lookup and get operations.
    
    Fixes: e701001e7cbe ("netfilter: nft_rbtree: allow adjacent intervals with dynamic updates")
    Fixes: ba0e4d9917b4 ("netfilter: nf_tables: get set elements via netlink")
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
    (cherry picked from commit db3b665dd77b34e34df00e17d7b299c98fcfb2c5)
    VvS: dropped hooks fixed missing __nft_rbtree_get()
    VvS: nft_set_is_anonymous() rplaced by direct flag check
    https://jira.sw.ru/browse/PSBM-121318
    Signed-off-by: Vasily Averin <vvs at virtuozzo.com>
---
 net/netfilter/nft_rbtree.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nft_rbtree.c b/net/netfilter/nft_rbtree.c
index ab95e57..7b7c173 100644
--- a/net/netfilter/nft_rbtree.c
+++ b/net/netfilter/nft_rbtree.c
@@ -74,8 +74,13 @@ static bool nft_rbtree_lookup(const struct nft_set *set, const u32 *key,
 				parent = parent->rb_left;
 				continue;
 			}
-			if (nft_rbtree_interval_end(rbe))
-				goto out;
+			if (nft_rbtree_interval_end(rbe)) {
+				if (set->flags & NFT_SET_ANONYMOUS)
+					goto out;
+				parent = parent->rb_left;
+				interval = NULL;
+				continue;
+			}
 			spin_unlock_bh(&nft_rbtree_lock);
 
 			*ext = &rbe->ext;

More information about the Devel mailing list