On 05.01, Pablo Neira Ayuso wrote: > On Mon, Jan 05, 2015 at 11:22:35AM +0000, Patrick McHardy wrote: > > On 05.01, Pablo Neira Ayuso wrote: > > > Relax the checking that was introduced in 97840cb ("netfilter: > > > nfnetlink: fix insufficient validation in nfnetlink_bind") when the > > > subscription bitmask is used. Existing userspace code code may request > > > to listen to all of the existing netlink groups by setting an all to one > > > subscription group bitmask. Netlink already validates subscription via > > > setsockopt() for us. > > > > What is the point of doing this? I don't think its particulary > > reasonable to subscribe to ~0 unless you're implementing some kind of > > monitor. > > This is how we've been supporting this since the beginning. So > userspace applications could subscribe to ~0 and don't care if the > group exists or not. > > After the recent change, those will break. None of the userspace > netfilter codebase actually need this, but other third party > application will break when binding if they were using ~0 for > monitoring. > > > We also don't know whether a bitmask or an invalid group number was > > used, so the comment below is at least misleading. > > > > And, unrelated, but since it went in via netfilter asking anyway, why > > is the group number signed? That doesn't make any sense, it is treated > > as unsigned everywhere else. > > That should be changed, yes. Assuming you mean both the signedness and the comment, that seems fine. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html