[v1,2/9] sysctl: Fixes nf_conntrack_expect_max bounds

Commit Message

Nicolas Bouchinet Jan. 27, 2025, 2:19 p.m. UTC

From: Nicolas Bouchinet <nicolas.bouchinet@ssi.gouv.fr>

Bound nf_conntrack_expect_max sysctl writings between SYSCTL_ONE
and SYSCTL_INT_MAX.

The proc_handler has thus been updated to proc_dointvec_minmax.

The lower bound is SYSCTL_ONE as defined in the sysctl documentation.

Signed-off-by: Nicolas Bouchinet <nicolas.bouchinet@ssi.gouv.fr>
---
 net/netfilter/nf_conntrack_standalone.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Patch

diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 40ed3ef9cb22d..3ea60ff7a6a49 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -657,7 +657,9 @@  static struct ctl_table nf_ct_sysctl_table[] = {
 		.data		= &nf_ct_expect_max,
 		.maxlen		= sizeof(int),
 		.mode		= 0644,
-		.proc_handler	= proc_dointvec,
+		.proc_handler	= proc_dointvec_minmax,
+		.extra1		= SYSCTL_ONE,
+		.extra2		= SYSCTL_INT_MAX,
 	},
 	[NF_SYSCTL_CT_ACCT] = {
 		.procname	= "nf_conntrack_acct",