Re: [PATCH nf 1/1] netfilter: expect: Make sure the max_expected limit is effective

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Mar 24, 2017 at 09:38:37AM +0800, gfree.wind@xxxxxxxxxxx wrote:
> From: Gao Feng <fgao@xxxxxxxxxx>
> 
> Because the type of expecting, the member of nf_conn_help, is u8, it
> would overflow after reach U8_MAX(255). So it doesn't work when we
> configure the max_expected exceeds 255 with expect policy.
> 
> Now add the check for max_expected. Return the -EINVAL when it exceeds
> the limit.
> 
> Signed-off-by: Gao Feng <fgao@xxxxxxxxxx>
> ---
>  include/net/netfilter/nf_conntrack_expect.h | 1 +
>  net/netfilter/nf_conntrack_helper.c         | 3 +++
>  net/netfilter/nfnetlink_cthelper.c          | 4 ++++
>  3 files changed, 8 insertions(+)
> 
> diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
> index 5ed33ea..aa36a31 100644
> --- a/include/net/netfilter/nf_conntrack_expect.h
> +++ b/include/net/netfilter/nf_conntrack_expect.h
> @@ -71,6 +71,7 @@ struct nf_conntrack_expect_policy {
>  };
>  
>  #define NF_CT_EXPECT_CLASS_DEFAULT	0
> +#define NF_CT_EXPECT_MAX_CNT		U8_MAX

use NF_CT_EXPECT_MAX. We will expose this to userspace at some point
now that we have infrastructure to configure helpers from nft
(Florian's work already in nf-next) so use 255 instead of U8_MAX is
fine.

>  int nf_conntrack_expect_pernet_init(struct net *net);
>  void nf_conntrack_expect_pernet_fini(struct net *net);
> diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
> index 6dc44d9..752a977 100644
> --- a/net/netfilter/nf_conntrack_helper.c
> +++ b/net/netfilter/nf_conntrack_helper.c
> @@ -385,6 +385,9 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
>  	BUG_ON(me->expect_class_max >= NF_CT_MAX_EXPECT_CLASSES);
>  	BUG_ON(strlen(me->name) > NF_CT_HELPER_NAME_LEN - 1);
>  
> +	if (me->expect_policy->max_expected > NF_CT_EXPECT_MAX_CNT)
> +		return -EINVAL;

I swear this is also exposed through modparams, right? So this patch
may be missing something.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux