On Fri, 2016-03-18 at 22:58 +0100, Pablo Neira Ayuso wrote: > This patch introduces the generic __xt_entry_foreach() that includes a > new parameter to account for remaining entry bytes in the table that we > didn't walk so far. If the amount of remaining bytes is zero, then we > keep validating this table, otherwise for < 0 we just reject this. > > Reported-by: Ben Hawkes <hawkes@xxxxxxxxxx> > Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> > --- > Slightly tested here, will be spinning on this again with more testing > tomorrow morning. I'll appreciate any extra hand on testing this > further. > > include/linux/netfilter/x_tables.h | 10 ++++++++++ > net/ipv4/netfilter/arp_tables.c | 17 +++++++++++++++-- > net/ipv4/netfilter/ip_tables.c | 16 ++++++++++++++-- > net/ipv6/netfilter/ip6_tables.c | 16 ++++++++++++++-- > 4 files changed, 53 insertions(+), 6 deletions(-) > > diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h > index c557741..1206830 100644 > --- a/include/linux/netfilter/x_tables.h > +++ b/include/linux/netfilter/x_tables.h > @@ -411,6 +411,16 @@ xt_get_per_cpu_counter(struct xt_counters *cnt, unsigned int cpu) > struct nf_hook_ops *xt_hook_link(const struct xt_table *, nf_hookfn *); > void xt_hook_unlink(const struct xt_table *, struct nf_hook_ops *); > > +/* Similar to xt_entry_foreach, but this tell us how many bytes are remaining > + * after the iteration. If remain is < 0 then this table we're iterating over > + * is wrong. > + */ > +#define __xt_entry_foreach(pos, ehead, esize, remain) \ > + for ((pos) = (typeof(pos))(ehead), (remain) = (esize); \ > + (pos) < (typeof(pos))((char *)(ehead) + (esize)); \ > + (remain) -= (pos)->next_offset, \ > + (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset)) > + > #ifdef CONFIG_COMPAT > #include <net/compat.h> > > diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c > index b488cac..9081cda 100644 > --- a/net/ipv4/netfilter/arp_tables.c > +++ b/net/ipv4/netfilter/arp_tables.c > @@ -637,6 +637,7 @@ static int translate_table(struct xt_table_info *newinfo, void *entry0, > struct arpt_entry *iter; > unsigned int i; > int ret = 0; > + s64 remain; > Looks overkill to use s64 on 32bit kernels ? long should be enough I guess. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
