Re: [PATCH nf 2/3] netfilter: nfnetlink: relax strict multicast group from netlink_bind

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 05.01, Pablo Neira Ayuso wrote:
> On Mon, Jan 05, 2015 at 11:22:35AM +0000, Patrick McHardy wrote:
> > On 05.01, Pablo Neira Ayuso wrote:
> > > Relax the checking that was introduced in 97840cb ("netfilter:
> > > nfnetlink: fix insufficient validation in nfnetlink_bind") when the
> > > subscription bitmask is used. Existing userspace code code may request
> > > to listen to all of the existing netlink groups by setting an all to one
> > > subscription group bitmask. Netlink already validates subscription via
> > > setsockopt() for us.
> > 
> > What is the point of doing this? I don't think its particulary
> > reasonable to subscribe to ~0 unless you're implementing some kind of
> > monitor.
> 
> This is how we've been supporting this since the beginning. So
> userspace applications could subscribe to ~0 and don't care if the
> group exists or not.
> 
> After the recent change, those will break. None of the userspace
> netfilter codebase actually need this, but other third party
> application will break when binding if they were using ~0 for
> monitoring.
> 
> > We also don't know whether a bitmask or an invalid group number was
> > used, so the comment below is at least misleading.
> > 
> > And, unrelated, but since it went in via netfilter asking anyway, why
> > is the group number signed? That doesn't make any sense, it is treated
> > as unsigned everywhere else.
> 
> That should be changed, yes.

Assuming you mean both the signedness and the comment, that seems fine.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux