Re: [PATCH nf] netfilter: nft_compat: explicitly reject builtin targets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jul 06, 2018 at 03:11:50PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > On Fri, Jul 06, 2018 at 02:53:25PM +0200, Florian Westphal wrote:
> > > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > > > On Wed, Jul 04, 2018 at 09:13:06PM +0200, Florian Westphal wrote:
> > > > > iptables-nft never requests these, but explicitly reject this.
> > > > > 
> > > > > If it were requested, kernel will oops as ->target is NULL.
> > > > > 
> > > > > Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> > > > > ---
> > > > >  net/netfilter/nft_compat.c | 12 ++++++++++++
> > > > >  1 file changed, 12 insertions(+)
> > > > > 
> > > > > diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
> > > > > index 8d1ff654e5af..198cef9c2906 100644
> > > > > --- a/net/netfilter/nft_compat.c
> > > > > +++ b/net/netfilter/nft_compat.c
> > > > > @@ -832,10 +832,16 @@ nft_target_select_ops(const struct nft_ctx *ctx,
> > > > >  	rev = ntohl(nla_get_be32(tb[NFTA_TARGET_REV]));
> > > > >  	family = ctx->family;
> > > > >  
> > > > > +	if (strcmp(tg_name, "ERROR") == 0)
> > > > > +		return ERR_PTR(-EINVAL);
> > > > 
> > > > We can just reject XT_ERROR_TARGET and XT_STANDARD_TARGET here, to
> > > > keep it simple, right? So we don't use this hardcoded "ERROR".
> > > 
> > > Yes, that works too.
> > > Rejecting XT_STANDARD_TARGET might be a good idea too in case someone
> > > ever changes it to have a non-null evaluation function.
> > 
> > Hm, I think we're already safe, right? I mean, the check for
> > target->target to be NULL and return -EINVAL is sufficient.
> > 
> > But I can just apply what I'm attaching for clarity if you prefer.
> 
> Rejecting from target_init should work.
> 
> I had placed everything in select_ops as that allocates the middleman
> struct and I wanted to fail early.
> 
> The ebtables standard target ("standard", sigh) also lacks target eval
> function so should fail because of ->target == NULL.
> 
> I'm only mentioning this because I think it should either strcmp
> for XT_ERROR_TARGET only and handle rest via taget->target == NULL check,
> or consider XT_STANDARD_TARGET, XT_ERROR_TARGET,  "standard", and the
> ->target == NULL check.
> 
> As its slow path, I would go for the latter option.

Would you resubmit with what you propose your patch then?

Thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux