From: Amerigo Wang <amwang@redhat.com>
Date: Thu, 24 Sep 2009 05:49:27 -0400
Subject: [net] ipt_recent: sanity check hit count
Message-id: 20090924095201.4810.50815.sendpatchset@localhost.localdomain
O-Subject: [PATCH RHEL5.5] ipt_recent: sanity check hit count
Bugzilla: 523982
RH-Acked-by: Jiri Pirko <jpirko@redhat.com>
RH-Acked-by: Dean Nelson <dnelson@redhat.com>
RH-Acked-by: David Miller <davem@redhat.com>

BZ:
https://bugzilla.redhat.com/show_bug.cgi?id=523982

Description:
If a rule using ipt_recent is created with a hit count greater than
ip_pkt_list_tot, the rule will never match as it cannot keep track
of enough timestamps. This patch makes ipt_recent refuse to create such
rules.

Brew:
https://brewweb.devel.redhat.com/taskinfo?taskID=2003172

KABI:
No harm.

Upstream status:
Commit d0ebf133590abdc035af6e19a6568667af0ab3b0.

Test status:
I tested it on x86_64, it works as expected.

Signed-off-by: WANG Cong <amwang@redhat.com>

diff --git a/net/ipv4/netfilter/ipt_recent.c b/net/ipv4/netfilter/ipt_recent.c
index 61a2139..35d1725 100644
--- a/net/ipv4/netfilter/ipt_recent.c
+++ b/net/ipv4/netfilter/ipt_recent.c
@@ -246,6 +246,8 @@ ipt_recent_checkentry(const char *tablename, const void *ip,
 	if ((info->check_set & (IPT_RECENT_SET | IPT_RECENT_REMOVE)) &&
 	    (info->seconds || info->hit_count))
 		return 0;
+	if (info->hit_count > ip_pkt_list_tot)
+		return 0;
 	if (info->name[0] == '\0' ||
 	    strnlen(info->name, IPT_RECENT_NAME_LEN) == IPT_RECENT_NAME_LEN)
 		return 0;