From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202602 header.b=UD30DZgI;
	dkim-atps=neutral
Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])
	by passt.top (Postfix) with ESMTPS id E1D295A0265
	for <passt-dev@passt.top>; Mon, 04 May 2026 06:25:53 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202602; t=1777868749;
	bh=6p9PLHB9WrjlNPSry+DEmQU7FOZ554qdKUloeHU7nHo=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=UD30DZgIG3o+XAAcslbqW+xevXbpschp+wZ2O3syl1CtqevJs3bOnV+VUsEHePSx/
	 DL4SwjEmhxtCGV9i/wu34TtsND+P30lcTla30zbSDdD7lKwkJV9lLZ9nunS/2kSXt2
	 VGRmiI5WWlvvwZYiDm+490Ffog+ESdIBwdagXrWznliqallYnqlkrIuesn0+p6Hiw1
	 8WlnLIYyh232QyvDDE8OymMBxOJTEcfxY3y/XRQSVlBmYrT/QJfnj5p2VNolcUd0+P
	 +zreh+LCLoBZtlcGy/QfESdzdr2M1K+xeSOqABpO/oN259TQBmR+vec6GjnYOdI+4/
	 lEASTzhhpep6w==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4g87qd1Krqz4wJp; Mon, 04 May 2026 14:25:49 +1000 (AEST)
Date: Mon, 4 May 2026 14:24:05 +1000
From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>
Subject: Re: [PATCH v5 01/18] conf, fwd: Stricter rule checking in
 fwd_rule_add()
Message-ID: <afgfZXGUWwAQ1WDm@zatzit>
References: <20260421062516.2601204-1-david@gibson.dropbear.id.au>
 <20260421062516.2601204-2-david@gibson.dropbear.id.au>
 <a51ca0e5-f75e-4e98-95c5-10832c3fd1c4@redhat.com>
 <ae1q7Hjk0TIiyjgP@zatzit>
 <20260503235607.70fea978@elisabeth>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="2vL1t7ARdNp0yGar"
Content-Disposition: inline
In-Reply-To: <20260503235607.70fea978@elisabeth>
Message-ID-Hash: VNTO3K5I4TGGDD7I56U7J4Z52V7TLXDZ
X-Message-ID-Hash: VNTO3K5I4TGGDD7I56U7J4Z52V7TLXDZ
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Jon Maloy <jmaloy@redhat.com>, passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/afgfZXGUWwAQ1WDm@zatzit/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/VNTO3K5I4TGGDD7I56U7J4Z52V7TLXDZ/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>


--2vL1t7ARdNp0yGar
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, May 03, 2026 at 11:56:08PM +0200, Stefano Brivio wrote:
> On Sun, 26 Apr 2026 11:31:24 +1000
> David Gibson <david@gibson.dropbear.id.au> wrote:
>=20
> > On Sat, Apr 25, 2026 at 11:31:40AM -0400, Jon Maloy wrote:
> > >=20
> > >=20
> > > On 2026-04-21 02:24, David Gibson wrote: =20
> > > > Although fwd_rule_add() performs some sanity checks on the rule it =
is
> > > > given, there are invalid rules we don't check for, assuming that its
> > > > callers will do that.
> > > >  =20
> > >  =20
> > > > diff --git a/fwd.c b/fwd.c
> > > > index c7fd1a9d..979c1494 100644
> > > > --- a/fwd.c
> > > > +++ b/fwd.c
> > > > @@ -367,17 +367,59 @@ int fwd_rule_add(struct fwd_table *fwd, const=
 struct fwd_rule *new)
> > > >   		     new->first, new->last);
> > > >   		return -EINVAL;
> > > >   	}
> > > > +	if (!new->first) {
> > > > +		warn("Forwarding rule attempts to map from port 0");
> > > > +		return -EINVAL;
> > > > +	}
> > > > +	if (!new->to ||
> > > > +	    (in_port_t)(new->to + new->last - new->first) < new->to) {
> > > > +		warn("Forwarding rule attempts to map to port 0"); =20
> > >=20
> > > Not strictly true. We are also catching a range overflow case.
> > > Maybe "Forwarding rule maps to invalid port number" =20
> >=20
> > Well.. the specific overflow case is that the target range "wraps
> > around", thereby covering port 0, is the reasoning here.
>=20
> ...and any other range overflow case is covered by the earlier check:
>=20
> 	if (new->first > new->last) {
> 		warn("Rule has invalid port range %u-%u",
> 		     new->first, new->last);
> 		return -EINVAL;
> 	}
>=20
> so I'm leaving this as it was, in v6.

Right, that's pretty much what I was suggesting.

--=20
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

--2vL1t7ARdNp0yGar
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmn4H1cACgkQzQJF27ox
2GexbQ//UY8bxI9W7DFgMkkml+sT80UXTWmopaxhN+hBtWoSLMNpkYnRsUBk/fFC
kvWKqKAvSdh8b0l98g9fn4gEzYxRqQeHYJjSaQ8xS4n5+R0aBQkx39kYIemI2//K
OHpI4Tf2C9dPjYktH2rTwP2+GqCZ8egiRmthgkZk+c+ers9/6dh5OqnQ+Ga/CRWO
DuzhIvcjsNxBurj8id/LM7jg1gG4+bqmfaS5ormTlA6IGQyjjekYXZXGEg/fXe2Z
BTcxRBOutkvr5BVFp+ZYhVx8zE2njaChTEswsUjnCtvQ7L0vGLUbZFDhrpBiCRWE
C0eHGvQGGIrkZSNu0GmtJraHVwnTwhFQW1MTseDoMoQUSyXU2+PNOMOgqSPo6QC1
S/tHWvb1ZCl6lIOWC1O4E2klzCrm6Lad9Jx/JtCn3mOouhhnflSD8s6CeceobA+k
Wpvv+DDTCE1hwFICI8tBQiuzIl5L9m0YRhyrQ/VlLFOJKvuOCGukKd8/LA5DtVLY
Nu1al8ZtRk7JVxPsbi8B/2X3oxOmufC2Fdt6FcaArY5k6c09Q/dzO8Me/58H/AFw
hK4pXQEtA0dToC0WQxwUXkehtNHF/7vrlQ9Yq4nHYEqb6E0/r+ZHC56JTsw491t0
uyG0hf9QZnIROXBsS8ad2rgPuebGyLZEStb9AWPH8QgrIafQYP0=
=ZRYK
-----END PGP SIGNATURE-----

--2vL1t7ARdNp0yGar--