Re: [libnftnl PATCH 3/6] set_elem: Validate nftnl_set_elem_set() parameters

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Tue, 15 Oct 2019 17:52:44 +0200

On Tue, Oct 15, 2019 at 04:16:55PM +0200, Phil Sutter wrote:
> Copying from nftnl_table_set_data(), validate input to
> nftnl_set_elem_set() as well. Given that for some attributes the
> function assumes passed data size, this seems necessary.
> 
> Signed-off-by: Phil Sutter <phil@xxxxxx>

Acked-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>

Before pushing out this, see below.

> ---
>  include/libnftnl/set.h |  2 ++
>  src/set_elem.c         | 10 ++++++++++
>  2 files changed, 12 insertions(+)
> 
> diff --git a/include/libnftnl/set.h b/include/libnftnl/set.h
> index 6640ad929f346..2ea2e9a56ce4f 100644
> --- a/include/libnftnl/set.h
> +++ b/include/libnftnl/set.h
> @@ -104,7 +104,9 @@ enum {
>  	NFTNL_SET_ELEM_USERDATA,
>  	NFTNL_SET_ELEM_EXPR,
>  	NFTNL_SET_ELEM_OBJREF,
> +	__NFTNL_SET_ELEM_MAX
>  };
> +#define NFTNL_SET_ELEM_MAX (__NFTNL_SET_ELEM_MAX - 1)
>  
>  struct nftnl_set_elem;
>  
> diff --git a/src/set_elem.c b/src/set_elem.c
> index 3794f12594079..4225a96ee5a0a 100644
> --- a/src/set_elem.c
> +++ b/src/set_elem.c
> @@ -96,10 +96,20 @@ void nftnl_set_elem_unset(struct nftnl_set_elem *s, uint16_t attr)
>  	s->flags &= ~(1 << attr);
>  }
>  
> +static uint32_t nftnl_set_elem_validate[NFTNL_SET_ELEM_MAX + 1] = {
> +	[NFTNL_SET_ELEM_FLAGS]		= sizeof(uint32_t),
> +	[NFTNL_SET_ELEM_VERDICT]	= sizeof(int), /* FIXME: data.verdict is int?! */

This is uint32_t, update this before pushing out this.

> +	[NFTNL_SET_ELEM_TIMEOUT]	= sizeof(uint64_t),
> +	[NFTNL_SET_ELEM_EXPIRATION]	= sizeof(uint64_t),
> +};
> +
>  EXPORT_SYMBOL(nftnl_set_elem_set);
>  int nftnl_set_elem_set(struct nftnl_set_elem *s, uint16_t attr,
>  		       const void *data, uint32_t data_len)
>  {
> +	nftnl_assert_attr_exists(attr, NFTNL_SET_ELEM_MAX);
> +	nftnl_assert_validate(data, nftnl_set_elem_validate, attr, data_len);
> +
>  	switch(attr) {
>  	case NFTNL_SET_ELEM_FLAGS:
>  		memcpy(&s->set_elem_flags, data, sizeof(s->set_elem_flags));
> -- 
> 2.23.0
> 