On Thu, Jan 19, 2017 at 10:00:20PM +0800, Liping Zhang wrote:
> From: Liping Zhang <zlpnobody@xxxxxxxxx>
>
> Currently, if the user add a stateful object with the name size exceed
> NFT_OBJ_MAXNAMELEN - 1 (i.e. 31), we truncate it down to 31 silently.
> This is not friendly, furthermore, this will cause duplicated stateful
> objects when the first 31 characters of the name is same. So limit the
> stateful object's name size to NFT_OBJ_MAXNAMELEN - 1.
>
> After apply this patch, error message will be printed out like this:
> # name_32=$(printf "%0.sQ" {1..32})
> # nft add counter filter $name_32
> <cmdline>:1:1-52: Error: Could not process rule: Numerical result out
> of range
> add counter filter QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Good catch.
At quick glance, I can see other spots lacking this validation:
static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] =
{
[NFTA_CHAIN_TABLE] = { .type = NLA_STRING },
Probably review and fix them in one go?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
