On Thu, Mar 05, 2015 at 04:31:22PM +0000, Patrick McHardy wrote: > On 05.03, Pablo Neira Ayuso wrote: > > On Tue, Mar 03, 2015 at 08:04:19PM +0000, Patrick McHardy wrote: > > > Check that the space required for the expressions doesn't exceed the > > > size of the dlen field, which would lead to the iterators crashing. > > > > > > Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx> > > > --- > > > net/netfilter/nf_tables_api.c | 4 ++++ > > > 1 file changed, 4 insertions(+) > > > > > > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c > > > index 6fb532b..7baafd5 100644 > > > --- a/net/netfilter/nf_tables_api.c > > > +++ b/net/netfilter/nf_tables_api.c > > > @@ -1968,6 +1968,10 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb, > > > n++; > > > } > > > } > > > + /* Check for overflow of dlen field */ > > > + err = -EFBIG; > > > > Should we use -EOVERFLOW instead as we use in other nf_tables spots? > > > > The error in userspace will be: "Value too large for defined data type". > > I think the difference here is that we don't use a userspace provided > value but overflow because of the size of kernel internal structures and > the data type limit. OK, we also have it when we pass too large amount of data for a register IIRC. > I don't have any strong feelings either way, but I think its different > from the cases where we use EOVERFLOW so far. I don't have any strong opinion, just asking. You know we shouldn't change this afterwards. Let me know. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html