[Bug 1769492] Re: ipset: setting timeout value higher than 2147483 leads to unpredicted results

Leonidas S. Barbosa 1769492 at bugs.launchpad.net
Mon May 7 17:41:42 UTC 2018 

Hi Maxim!

Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug. I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross privilege boundaries nor directly cause loss of data/privacy.
Please feel free to report any other bugs you may find.


In addition seems this issue was already reported to upstream here http://netfilter-devel.vger.kernel.narkive.com/ORm91EOQ/ipset-bad-timeout-assignments 

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to ipset in Ubuntu.
https://bugs.launchpad.net/bugs/1769492

Title:
  ipset: setting timeout value higher than 2147483 leads to unpredicted
  results

Status in ipset package in Ubuntu:
  New

Bug description:
  Ubuntu 16 LTS and 18 LTS contain a package "ipset" which is a
  companion utility for "iptables" to contain large lists of IP
  addresses.

  Ubuntu 16 LTS comes with ipset v6.29, Ubuntu 18 LTS comes with ipset
  v6.34.

  Both versions contain a bug: setting a list timeout value (for an
  entry) higher than 2147483 leads to unpredictable results.

  The value of "2147483" is "MaxInt / 1000" or 2^31/1000.

  It might have been better to support higher value (use 64-bit integer
  for timeout to store values higher than MaxInt) or report an error to
  the user that value higher then 2147483.

  Current behavior when values higher then 2147483 are silently changed
  to 4294967 is not what the user might have expected.

  Because of this, I think that this current behavior include in Ubuntu
  16 LTS and Ubuntu 18 LTS is a bug.

  Could you please fix this bug?

  Here is a script to illustrate that (it outputs timeouts gradually
  increasing by one second but after 2147482 the value jumps to
  4294967):

  #!/bin/bash

  ipset create list-0 hash:ip timeout 2147480 
  ipset create list-1 hash:ip timeout 2147481 
  ipset create list-2 hash:ip timeout 2147482 
  ipset create list-3 hash:ip timeout 2147483 
  ipset create list-4 hash:ip timeout 2147484 
  ipset create list-5 hash:ip timeout 2147485 
  ipset create list-6 hash:ip timeout 2147486 
  ipset create list-7 hash:ip timeout 2147487 

  ipset add list-0 127.0.0.127
  ipset add list-1 127.0.0.127
  ipset add list-2 127.0.0.127
  ipset add list-3 127.0.0.127
  ipset add list-4 127.0.0.127
  ipset add list-5 127.0.0.127
  ipset add list-6 127.0.0.127
  ipset add list-7 127.0.0.127

  ipset list | grep "127.0.0.127 timeout "

  ipset destroy list-0
  ipset destroy list-1
  ipset destroy list-2
  ipset destroy list-3
  ipset destroy list-4
  ipset destroy list-5
  ipset destroy list-6
  ipset destroy list-7

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ipset/+bug/1769492/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list