nft is currently rejecting unknown UID/GID if they don't exist in the
system, relax this as Bjørnar Ness considers this is a valid scenario.
Now this only reports an error if you pass an unknown user (expressed as
string or if the UID/GID goes above 32 bits).
Reported-by: Bjørnar Ness <bjornar.ness@xxxxxxxxx>
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
src/meta.c | 54 ++++++++++++++++++++++++++++++++++--------------------
1 file changed, 34 insertions(+), 20 deletions(-)
diff --git a/src/meta.c b/src/meta.c
index 80c2638..32f3012 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -197,11 +197,14 @@ static void uid_type_print(const struct expr *expr)
struct passwd *pw;
if (numeric_output < NUMERIC_ALL) {
- pw = getpwuid(mpz_get_uint32(expr->value));
- if (pw != NULL) {
+ uint32_t uid = mpz_get_uint32(expr->value);
+
+ pw = getpwuid(uid);
+ if (pw != NULL)
printf("%s", pw->pw_name);
- return;
- }
+ else
+ printf("%d", uid);
+ return;
}
expr_basetype(expr)->print(expr);
}
@@ -210,19 +213,23 @@ static struct error_record *uid_type_parse(const struct expr *sym,
struct expr **res)
{
struct passwd *pw;
+ uint64_t uid;
+ char *endptr = NULL;
pw = getpwnam(sym->identifier);
- if (pw == NULL) {
- /* Try harder, lookup based on UID */
- pw = getpwuid(atol(sym->identifier));
- if (pw == NULL)
+ if (pw != NULL)
+ uid = pw->pw_uid;
+ else {
+ uid = strtoull(sym->identifier, &endptr, 10);
+ if (uid > UINT32_MAX)
+ return error(&sym->location, "Value too large");
+ else if (*endptr)
return error(&sym->location, "User does not exist");
}
*res = constant_expr_alloc(&sym->location, sym->dtype,
BYTEORDER_HOST_ENDIAN,
- sizeof(pw->pw_uid) * BITS_PER_BYTE,
- &pw->pw_uid);
+ sizeof(pw->pw_uid) * BITS_PER_BYTE, &uid);
return NULL;
}
@@ -242,11 +249,14 @@ static void gid_type_print(const struct expr *expr)
struct group *gr;
if (numeric_output < NUMERIC_ALL) {
- gr = getgrgid(mpz_get_uint32(expr->value));
- if (gr != NULL) {
+ uint32_t gid = mpz_get_uint32(expr->value);
+
+ gr = getgrgid(gid);
+ if (gr != NULL)
printf("%s", gr->gr_name);
- return;
- }
+ else
+ printf("%u", gid);
+ return;
}
expr_basetype(expr)->print(expr);
}
@@ -255,19 +265,23 @@ static struct error_record *gid_type_parse(const struct expr *sym,
struct expr **res)
{
struct group *gr;
+ uint64_t gid;
+ char *endptr = NULL;
gr = getgrnam(sym->identifier);
- if (gr == NULL) {
- /* Try harder, lookup based on GID */
- gr = getgrgid(atol(sym->identifier));
- if (gr == NULL)
+ if (gr != NULL)
+ gid = gr->gr_gid;
+ else {
+ gid = strtoull(sym->identifier, &endptr, 0);
+ if (gid > UINT32_MAX)
+ return error(&sym->location, "Value too large");
+ else if (*endptr)
return error(&sym->location, "Group does not exist");
}
*res = constant_expr_alloc(&sym->location, sym->dtype,
BYTEORDER_HOST_ENDIAN,
- sizeof(gr->gr_gid) * BITS_PER_BYTE,
- &gr->gr_gid);
+ sizeof(gr->gr_gid) * BITS_PER_BYTE, &gid);
return NULL;
}
--
1.7.10.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
