Re: [libnftnl PATCH 4/6] set: Don't bypass checks in nftnl_set_set_u{32,64}()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

On Tue, Oct 15, 2019 at 05:53:46PM +0200, Pablo Neira Ayuso wrote:
> On Tue, Oct 15, 2019 at 04:16:56PM +0200, Phil Sutter wrote:
> > By calling nftnl_set_set(), any data size checks are effectively
> > bypassed. Better call nftnl_set_set_data() directly, passing the real
> > size for validation.
> > 
> > Signed-off-by: Phil Sutter <phil@xxxxxx>
> 
> Acked-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> 
> Probably attribute((deprecated)) is better so we don't forget. Anyway,
> we can probably nuke this function in the next release.

But if we drop it, we break ABI, no? Sadly, nftables use(d) the symbol,
so we would break older nftables versions with the new libnftnl release.

Should I send a v2 setting attribute((deprecated))? I think it's worth
doing it.

Thanks, Phil



[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux