Re: [PATCH v3] netfilter: nf_tables: Ensure init attributes are within the bounds

kbuild test robot <lkp@xxxxxxxxx> · Mon, 22 Aug 2016 23:27:47 +0800

Hi Laura,

[auto build test WARNING on nf-next/master]
[also build test WARNING on v4.8-rc3 next-20160822]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
[Suggest to use git(>=2.9.0) format-patch --base=<commit> (or --base=auto for convenience) to record what (public, well-known) commit your patch series was built on]
[Check https://git-scm.com/docs/git-format-patch for more information]

url:    https://github.com/0day-ci/linux/commits/Laura-Garcia-Liebana/netfilter-nf_tables-Ensure-init-attributes-are-within-the-bounds/20160818-194709
base:   https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
config: x86_64-randconfig-s4-08190653 (attached as .config)
compiler: gcc-6 (Debian 6.1.1-9) 6.1.1 20160705
reproduce:
        # save the attached .config to linux build tree
        make ARCH=x86_64 

All warnings (new ones prefixed by >>):

   In file included from include/linux/linkage.h:4:0,
                    from include/linux/kernel.h:6,
                    from net/netfilter/nft_cmp.c:11:
   net/netfilter/nft_cmp.c: In function 'nft_cmp_init':
   net/netfilter/nft_cmp.c:91:18: error: 'NFT_CMP_MAX' undeclared (first use in this function)
     if (priv->op >= NFT_CMP_MAX)
                     ^
   include/linux/compiler.h:149:30: note: in definition of macro '__trace_if'
     if (__builtin_constant_p(!!(cond)) ? !!(cond) :   \
                                 ^~~~
>> net/netfilter/nft_cmp.c:91:2: note: in expansion of macro 'if'
     if (priv->op >= NFT_CMP_MAX)
     ^~
   net/netfilter/nft_cmp.c:91:18: note: each undeclared identifier is reported only once for each function it appears in
     if (priv->op >= NFT_CMP_MAX)
                     ^
   include/linux/compiler.h:149:30: note: in definition of macro '__trace_if'
     if (__builtin_constant_p(!!(cond)) ? !!(cond) :   \
                                 ^~~~
>> net/netfilter/nft_cmp.c:91:2: note: in expansion of macro 'if'
     if (priv->op >= NFT_CMP_MAX)
     ^~

vim +/if +91 net/netfilter/nft_cmp.c

     5	 * it under the terms of the GNU General Public License version 2 as
     6	 * published by the Free Software Foundation.
     7	 *
     8	 * Development of this code funded by Astaro AG (http://www.astaro.com/)
     9	 */
    10	
  > 11	#include <linux/kernel.h>
    12	#include <linux/init.h>
    13	#include <linux/module.h>
    14	#include <linux/netlink.h>
    15	#include <linux/netfilter.h>
    16	#include <linux/netfilter/nf_tables.h>
    17	#include <net/netfilter/nf_tables_core.h>
    18	#include <net/netfilter/nf_tables.h>
    19	
    20	struct nft_cmp_expr {
    21		struct nft_data		data;
    22		enum nft_registers	sreg:8;
    23		u8			len;
    24		enum nft_cmp_ops	op:8;
    25	};
    26	
    27	static void nft_cmp_eval(const struct nft_expr *expr,
    28				 struct nft_regs *regs,
    29				 const struct nft_pktinfo *pkt)
    30	{
    31		const struct nft_cmp_expr *priv = nft_expr_priv(expr);
    32		int d;
    33	
    34		d = memcmp(&regs->data[priv->sreg], &priv->data, priv->len);
    35		switch (priv->op) {
    36		case NFT_CMP_EQ:
    37			if (d != 0)
    38				goto mismatch;
    39			break;
    40		case NFT_CMP_NEQ:
    41			if (d == 0)
    42				goto mismatch;
    43			break;
    44		case NFT_CMP_LT:
    45			if (d == 0)
    46				goto mismatch;
    47		case NFT_CMP_LTE:
    48			if (d > 0)
    49				goto mismatch;
    50			break;
    51		case NFT_CMP_GT:
    52			if (d == 0)
    53				goto mismatch;
    54		case NFT_CMP_GTE:
    55			if (d < 0)
    56				goto mismatch;
    57			break;
    58		}
    59		return;
    60	
    61	mismatch:
    62		regs->verdict.code = NFT_BREAK;
    63	}
    64	
    65	static const struct nla_policy nft_cmp_policy[NFTA_CMP_MAX + 1] = {
    66		[NFTA_CMP_SREG]		= { .type = NLA_U32 },
    67		[NFTA_CMP_OP]		= { .type = NLA_U32 },
    68		[NFTA_CMP_DATA]		= { .type = NLA_NESTED },
    69	};
    70	
    71	static int nft_cmp_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
    72				const struct nlattr * const tb[])
    73	{
    74		struct nft_cmp_expr *priv = nft_expr_priv(expr);
    75		struct nft_data_desc desc;
    76		int err;
    77	
    78		err = nft_data_init(NULL, &priv->data, sizeof(priv->data), &desc,
    79				    tb[NFTA_CMP_DATA]);
    80		BUG_ON(err < 0);
    81	
    82		priv->sreg = nft_parse_register(tb[NFTA_CMP_SREG]);
    83		err = nft_validate_register_load(priv->sreg, desc.len);
    84		if (err < 0)
    85			return err;
    86	
    87		if (desc.len > U8_MAX)
    88			return -ERANGE;
    89		priv->len = desc.len;
    90		priv->op  = ntohl(nla_get_be32(tb[NFTA_CMP_OP]));
  > 91		if (priv->op >= NFT_CMP_MAX)
    92			return -ERANGE;
    93	
    94		return 0;

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation
Attachment:
.config.gz

Description: Binary data