Re: [libnftnl PATCH 4/6] set: Don't bypass checks in nftnl_set_set_u{32,64}()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Oct 15, 2019 at 07:09:33PM +0200, Phil Sutter wrote:
> On Tue, Oct 15, 2019 at 06:32:39PM +0200, Pablo Neira Ayuso wrote:
> > On Tue, Oct 15, 2019 at 06:11:34PM +0200, Phil Sutter wrote:
> > > Hi,
> > > 
> > > On Tue, Oct 15, 2019 at 05:53:46PM +0200, Pablo Neira Ayuso wrote:
> > > > On Tue, Oct 15, 2019 at 04:16:56PM +0200, Phil Sutter wrote:
> > > > > By calling nftnl_set_set(), any data size checks are effectively
> > > > > bypassed. Better call nftnl_set_set_data() directly, passing the real
> > > > > size for validation.
> > > > > 
> > > > > Signed-off-by: Phil Sutter <phil@xxxxxx>
> > > > 
> > > > Acked-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> > > > 
> > > > Probably attribute((deprecated)) is better so we don't forget. Anyway,
> > > > we can probably nuke this function in the next release.
> > > 
> > > But if we drop it, we break ABI, no? Sadly, nftables use(d) the symbol,
> > > so we would break older nftables versions with the new libnftnl release.
> > >
> > > Should I send a v2 setting attribute((deprecated))? I think it's worth
> > > doing it.
> > 
> > OK.
> 
> Well, given that there are more cases like this (e.g. nftnl_obj_set()),
> I'll just drop the comment from existing patch and follow-up with a
> separate one deprecating all unqualified setter symbols at once.

That's fine with me.



[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux