Re: [PATCH] netfilter: ipset: Fix maximal range check in hash_ipportnet4_uadt()

From: Pablo Neira Ayuso
Date: Wed Aug 04 2021 - 04:44:14 EST


On Tue, Aug 03, 2021 at 12:18:13PM -0700, Nathan Chancellor wrote:
> Clang warns:
>
> net/netfilter/ipset/ip_set_hash_ipportnet.c:249:29: warning: variable
> 'port_to' is uninitialized when used here [-Wuninitialized]
> if (((u64)ip_to - ip + 1)*(port_to - port + 1) > IPSET_MAX_RANGE)
> ^~~~~~~
> net/netfilter/ipset/ip_set_hash_ipportnet.c:167:45: note: initialize the
> variable 'port_to' to silence this warning
> u32 ip = 0, ip_to = 0, p = 0, port, port_to;
> ^
> = 0
> net/netfilter/ipset/ip_set_hash_ipportnet.c:249:39: warning: variable
> 'port' is uninitialized when used here [-Wuninitialized]
> if (((u64)ip_to - ip + 1)*(port_to - port + 1) > IPSET_MAX_RANGE)
> ^~~~
> net/netfilter/ipset/ip_set_hash_ipportnet.c:167:36: note: initialize the
> variable 'port' to silence this warning
> u32 ip = 0, ip_to = 0, p = 0, port, port_to;
> ^
> = 0
> 2 warnings generated.
>
> The range check was added before port and port_to are initialized.
> Shuffle the check after the initialization so that the check works
> properly.

For the record: I have squashed this fix into the original patch in
nf.git to make it easier to pass it on to -stable.

Thanks.