Re: [PATCH 2/3] netfilter: nf_tables: check for overflow of rule dlen field

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 05.03, Pablo Neira Ayuso wrote:
> > > Should we use -EOVERFLOW instead as we use in other nf_tables spots?
> > > 
> > > The error in userspace will be: "Value too large for defined data type".
> > 
> > I think the difference here is that we don't use a userspace provided
> > value but overflow because of the size of kernel internal structures and
> > the data type limit.
> 
> OK, we also have it when we pass too large amount of data for a
> register IIRC.

Sure. But that's data we pass, in that size. In this case its data
the kernel allocates, the amount of which is defined purely by
the kernel.

> > I don't have any strong feelings either way, but I think its different
> > from the cases where we use EOVERFLOW so far.
> 
> I don't have any strong opinion, just asking. You know we shouldn't
> change this afterwards.
> 
> Let me know.

I think this case shouldn't exist at all since it codifies kernel
internals into the API. Today we might accept 128 expressions, the
other day just 100, all depending on 32 or 64 bit systems. Its not
good.

The problem is I also don't want to increase the maximum rule size
to more than 4k since this will run into issues with memory
fragmentation. I think we need to decrease NFT_EXPR_MAXNUM, its
unreasonable large, and then add a per expression maximum size.

For now I'd say apply it as it is, keep the different errno code
since its a really different case, and we'll fix up the underlying
problem after a bit more of thought.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux