On Tue, Jul 11, 2023 at 11:22:57AM +0800, Lin Ma wrote:
> In current ctnetlink_parse_tuple_ip() function, nested parsing and
> validation is splitting as two parts. This is unnecessary as the
> nla_parse_nested_deprecated function supports validation in the fly.
> These two finially reach same place __nla_validate_parse with same
> validate flag.
>
> nla_parse_nested_deprecated
> __nla_parse(.., NL_VALIDATE_LIBERAL, ..)
> __nla_validate_parse
>
> nla_validate_nested_deprecated
> __nla_validate_nested(.., NL_VALIDATE_LIBERAL, ..)
> __nla_validate
> __nla_validate_parse
>
> This commit removes the call to nla_validate_nested_deprecated and pass
> cta_ip_nla_policy when do parsing.
>
> Fixes: 8cb081746c03 ("netlink: make validation more configurable for future strictness")
I don't think this warrants a fixes tag, as it's not fixing any
user-visible behaviour. Rather, it is a clean-up.
> Signed-off-by: Lin Ma <linma@xxxxxxxxxx>
> ---
> net/netfilter/nf_conntrack_netlink.c | 8 ++------
> 1 file changed, 2 insertions(+), 6 deletions(-)
>
> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> index 69c8c8c7e9b8..334db22199c1 100644
> --- a/net/netfilter/nf_conntrack_netlink.c
> +++ b/net/netfilter/nf_conntrack_netlink.c
> @@ -1321,15 +1321,11 @@ static int ctnetlink_parse_tuple_ip(struct nlattr *attr,
> struct nlattr *tb[CTA_IP_MAX+1];
> int ret = 0;
>
> - ret = nla_parse_nested_deprecated(tb, CTA_IP_MAX, attr, NULL, NULL);
> + ret = nla_parse_nested_deprecated(tb, CTA_IP_MAX, attr,
> + cta_ip_nla_policy, NULL);
> if (ret < 0)
> return ret;
>
> - ret = nla_validate_nested_deprecated(attr, CTA_IP_MAX,
> - cta_ip_nla_policy, NULL);
> - if (ret)
> - return ret;
> -
> switch (tuple->src.l3num) {
> case NFPROTO_IPV4:
> ret = ipv4_nlattr_to_tuple(tb, tuple, flags);
> --
> 2.17.1
>
>
