I was wondering, assuming i remove the NULL termination and SMACK sends a piece of data that's not null terminated,
how, on the userland side, can i find out about that size ?
Please notice that i send a libnetfilter_queue patch:
[PATCH] libnetfitler_queue: receive security context info
it uses
*secdata = (unsigned char *)nfnl_get_pointer_to_data(nfad->data, NFQA_SECCTX, char);
to get the security context data, but there is no info about the size, where can i find that not to go over bounds and read beyond what i should ?
I already have the patch prepared with the NULL termination removed but i'd like to make sure it will be ok.
best regards
On 05/25/2015 10:52 PM, Florian Westphal wrote:
> Roman Kubiak <r.kubiak@xxxxxxxxxxx> wrote:
>> [sidenote]
>> The additional NULL at the end of the security context is there because SMACK does not add this
>> to it's labels while SELinux does. So in order to avoid checking i just add it always.
>> This additional byte is also represented when calculating the size.
>> I did that because we are not transmitting the size of the context and there is no specified
>> max length so it has to be NULL terminated (at least it seemed like a valid solution)
>
> The netlink header contains the size of the attribute.
> I'd prefer to not have the kernel deal with NULL termination.
>
>> +static u32 nfqnl_get_sk_secctx(struct sock *sk, char **secdata)
>> +{
>> + u32 secid = 0;
>> + u32 seclen = 0;
>> + int ret = -1;
>> +
>> + if (!sk || !sk_fullsock(sk))
>> + return ret;
>
> return 0/return seclen?
>
>> + if ((queue->flags & NFQA_CFG_F_SECCTX) && entskb->sk) {
>> + seclen = nfqnl_get_sk_secctx(entskb->sk, &secdata);
>> + if (seclen > 0)
>> + size += nla_total_size(seclen) + 1;
>
> Wrong intent level for if (seclen > 0)
>
> Other than this, it looks ok to me.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
--------------
Roman Kubiak
--------------
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
