提交 169faa2e 编写于 作者: J Jozsef Kadlecsik

netfilter: ipset: Validate the set family and not the set type family at swapping

This closes netfilter bugzilla #843, reported by Quentin Armitage.
Signed-off-by: NJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
上级 0f1799ba
...@@ -1052,7 +1052,7 @@ ip_set_swap(struct sock *ctnl, struct sk_buff *skb, ...@@ -1052,7 +1052,7 @@ ip_set_swap(struct sock *ctnl, struct sk_buff *skb,
* Not an artificial restriction anymore, as we must prevent * Not an artificial restriction anymore, as we must prevent
* possible loops created by swapping in setlist type of sets. */ * possible loops created by swapping in setlist type of sets. */
if (!(from->type->features == to->type->features && if (!(from->type->features == to->type->features &&
from->type->family == to->type->family)) from->family == to->family))
return -IPSET_ERR_TYPE_MISMATCH; return -IPSET_ERR_TYPE_MISMATCH;
strncpy(from_name, from->name, IPSET_MAXNAMELEN); strncpy(from_name, from->name, IPSET_MAXNAMELEN);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册