2017-01-19 22:09 GMT+08:00 Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>:
> On Thu, Jan 19, 2017 at 10:00:20PM +0800, Liping Zhang wrote:
>> From: Liping Zhang <zlpnobody@xxxxxxxxx>
>>
>> Currently, if the user add a stateful object with the name size exceed
>> NFT_OBJ_MAXNAMELEN - 1 (i.e. 31), we truncate it down to 31 silently.
>> This is not friendly, furthermore, this will cause duplicated stateful
>> objects when the first 31 characters of the name is same. So limit the
>> stateful object's name size to NFT_OBJ_MAXNAMELEN - 1.
>>
>> After apply this patch, error message will be printed out like this:
>> # name_32=$(printf "%0.sQ" {1..32})
>> # nft add counter filter $name_32
>> <cmdline>:1:1-52: Error: Could not process rule: Numerical result out
>> of range
>> add counter filter QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> Good catch.
>
> At quick glance, I can see other spots lacking this validation:
>
> static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] =
> {
> [NFTA_CHAIN_TABLE] = { .type = NLA_STRING },
>
> Probably review and fix them in one go?
The nft table name's size is limited at this place:
static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
[NFTA_TABLE_NAME] = { .type = NLA_STRING,
.len =
NFT_TABLE_MAXNAMELEN - 1 },
If NFTA_CHAIN_TABLE's size exceeded 31, nf_tables_table_lookup will
fail eventually.
So I think adding the validation of NFTA_CHAIN_TABLE's size is not
important.
I had checked the table, chain, rule(no name), set, setelem(no name)
and object, I only found the validation of the object's name was missed.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
