[PATCH nft] parser: Check commentaries length

[Carlos Falgueras García <carlosfg@xxxxxxxxxx>]

Checks the commentary maximum length and reports to user in case of error.

The commentary rule of the parser was simplified in order to centralize the
length checking.

Signed-off-by: Carlos Falgueras García <carlosfg@xxxxxxxxxx>
---
 include/parser.h   |  6 ++++++
 src/parser_bison.y | 31 ++++++++++++++++++++-----------
 2 files changed, 26 insertions(+), 11 deletions(-)

diff --git a/include/parser.h b/include/parser.h
index 92beab2..f48fcfd 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -13,6 +13,12 @@
 
 #define SCOPE_NEST_MAX			3
 
+/*
+ * This maximum is set to 32 bytes in order to keep the coherence with others
+ * string length in nft objects
+ */
+#define MAX_COMM_LEN			32
+
 struct parser_state {
 	struct input_descriptor		*indesc;
 	struct input_descriptor		indescs[MAX_INCLUDE_DEPTH];
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 0452b8f..c159684 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -440,7 +440,7 @@ static void location_update(struct location *loc, struct location *rhs, int n)
 %destructor { close_scope(state); table_free($$); }	table_block_alloc
 %type <chain>			chain_block_alloc chain_block
 %destructor { close_scope(state); chain_free($$); }	chain_block_alloc
-%type <rule>			rule
+%type <rule>			rule rule_alloc
 %destructor { rule_free($$); }	rule
 
 %type <val>			set_flag_list	set_flag
@@ -1271,12 +1271,13 @@ ruleid_spec		:	chain_spec	handle_spec	position_spec
 			}
 			;
 
-comment_spec		:	/* empty */
-			{
-				$$ = NULL;
-			}
-			|	COMMENT		string
+comment_spec		:	COMMENT		string
 			{
+				if (strlen($2) > MAX_COMM_LEN) {
+					erec_queue(error(&@2, "Comment too long.  %d character maximun allowed", MAX_COMM_LEN),
+						   state->msgs);
+					YYERROR;
+				}
 				$$ = $2;
 			}
 			;
@@ -1293,18 +1294,26 @@ ruleset_spec		:	/* empty */
 			}
 			;
 
-rule			:	stmt_list	comment_spec
+rule			:	rule_alloc
+			{
+				$$->comment = NULL;
+			}
+			|	rule_alloc	comment_spec
+			{
+				$$->comment = $2;
+			}
+			;
+
+rule_alloc		:	stmt_list
 			{
 				struct stmt *i;
 
 				$$ = rule_alloc(&@$, NULL);
-				$$->comment = $2;
 				list_for_each_entry(i, $1, list)
 					$$->num_stmts++;
 				list_splice_tail($1, &$$->stmts);
 				xfree($1);
 			}
-			;
 
 stmt_list		:	stmt
 			{
@@ -2027,9 +2036,9 @@ set_elem_option		:	TIMEOUT			time_spec
 			{
 				$<expr>0->timeout = $2 * 1000;
 			}
-			|	COMMENT			string
+			|	comment_spec
 			{
-				$<expr>0->comment = $2;
+				$<expr>0->comment = $1;
 			}
 			;
 
-- 
2.8.2

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html