On 05.01, Pablo Neira Ayuso wrote:
> On Mon, Jan 05, 2015 at 11:22:35AM +0000, Patrick McHardy wrote:
> > On 05.01, Pablo Neira Ayuso wrote:
> > > Relax the checking that was introduced in 97840cb ("netfilter:
> > > nfnetlink: fix insufficient validation in nfnetlink_bind") when the
> > > subscription bitmask is used. Existing userspace code code may request
> > > to listen to all of the existing netlink groups by setting an all to one
> > > subscription group bitmask. Netlink already validates subscription via
> > > setsockopt() for us.
> >
> > What is the point of doing this? I don't think its particulary
> > reasonable to subscribe to ~0 unless you're implementing some kind of
> > monitor.
>
> This is how we've been supporting this since the beginning. So
> userspace applications could subscribe to ~0 and don't care if the
> group exists or not.
>
> After the recent change, those will break. None of the userspace
> netfilter codebase actually need this, but other third party
> application will break when binding if they were using ~0 for
> monitoring.
>
> > We also don't know whether a bitmask or an invalid group number was
> > used, so the comment below is at least misleading.
> >
> > And, unrelated, but since it went in via netfilter asking anyway, why
> > is the group number signed? That doesn't make any sense, it is treated
> > as unsigned everywhere else.
>
> That should be changed, yes.
Assuming you mean both the signedness and the comment, that seems fine.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
