netfilter: ipset: Validate the set family and not the set type family at swapping
authorJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Mon, 16 Sep 2013 18:07:35 +0000 (20:07 +0200)
committerJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Mon, 16 Sep 2013 18:36:05 +0000 (20:36 +0200)
This closes netfilter bugzilla #843, reported by Quentin Armitage.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
net/netfilter/ipset/ip_set_core.c

index c8c303c3386fbca9aaf1c5e4aa94f5985da05bab..f2e30fb31e78efa405156ca99ba9aeaded3ea49c 100644 (file)
@@ -1052,7 +1052,7 @@ ip_set_swap(struct sock *ctnl, struct sk_buff *skb,
         * Not an artificial restriction anymore, as we must prevent
         * possible loops created by swapping in setlist type of sets. */
        if (!(from->type->features == to->type->features &&
-             from->type->family == to->type->family))
+             from->family == to->family))
                return -IPSET_ERR_TYPE_MISMATCH;
 
        strncpy(from_name, from->name, IPSET_MAXNAMELEN);