Commit d349852d authored by Florian Westphal's avatar Florian Westphal Committed by Zhengchao Shao
Browse files

netfilter: nft_limit: reject configurations that cause integer overflow 

mainline inclusion
from mainline-v6.8-rc2
commit c9d9eb9c53d37cdebbad56b91e40baf42d5a97aa
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9DNPD
CVE: CVE-2024-26668

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c9d9eb9c53d37cdebbad56b91e40baf42d5a97aa



--------------------------------

Reject bogus configs where internal token counter wraps around.
This only occurs with very very large requests, such as 17gbyte/s.

Its better to reject this rather than having incorrect ratelimit.

Fixes: d2168e84 ("netfilter: nft_limit: add per-byte limiting")
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>

Conflicts:
	net/netfilter/nft_limit.c

Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
parent 491f9044
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment