Re: [PATCH] netfilter: x_tables: ensure e->next_offset consistency with table size

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2016-03-18 at 22:58 +0100, Pablo Neira Ayuso wrote:
> This patch introduces the generic __xt_entry_foreach() that includes a
> new parameter to account for remaining entry bytes in the table that we
> didn't walk so far. If the amount of remaining bytes is zero, then we
> keep validating this table, otherwise for < 0 we just reject this.
> 
> Reported-by: Ben Hawkes <hawkes@xxxxxxxxxx>
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
> Slightly tested here, will be spinning on this again with more testing
> tomorrow morning. I'll appreciate any extra hand on testing this
> further.
> 
>  include/linux/netfilter/x_tables.h | 10 ++++++++++
>  net/ipv4/netfilter/arp_tables.c    | 17 +++++++++++++++--
>  net/ipv4/netfilter/ip_tables.c     | 16 ++++++++++++++--
>  net/ipv6/netfilter/ip6_tables.c    | 16 ++++++++++++++--
>  4 files changed, 53 insertions(+), 6 deletions(-)
> 
> diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
> index c557741..1206830 100644
> --- a/include/linux/netfilter/x_tables.h
> +++ b/include/linux/netfilter/x_tables.h
> @@ -411,6 +411,16 @@ xt_get_per_cpu_counter(struct xt_counters *cnt, unsigned int cpu)
>  struct nf_hook_ops *xt_hook_link(const struct xt_table *, nf_hookfn *);
>  void xt_hook_unlink(const struct xt_table *, struct nf_hook_ops *);
>  
> +/* Similar to xt_entry_foreach, but this tell us how many bytes are remaining
> + * after the iteration. If remain is < 0 then this table we're iterating over
> + * is wrong.
> + */
> +#define __xt_entry_foreach(pos, ehead, esize, remain)			\
> +	for ((pos) = (typeof(pos))(ehead), (remain) = (esize);		\
> +	     (pos) < (typeof(pos))((char *)(ehead) + (esize));		\
> +	     (remain) -= (pos)->next_offset,				\
> +	     (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset))
> +
>  #ifdef CONFIG_COMPAT
>  #include <net/compat.h>
>  
> diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
> index b488cac..9081cda 100644
> --- a/net/ipv4/netfilter/arp_tables.c
> +++ b/net/ipv4/netfilter/arp_tables.c
> @@ -637,6 +637,7 @@ static int translate_table(struct xt_table_info *newinfo, void *entry0,
>  	struct arpt_entry *iter;
>  	unsigned int i;
>  	int ret = 0;
> +	s64 remain;
>  

Looks overkill to use s64 on 32bit kernels ?
long should be enough I guess.


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux