On Tue, Mar 19, 2024 at 06:12:07PM +0100, Phil Sutter wrote: > Just like with the recent change in expr_ops, this series reuses > obj_ops::max_attr field (patch 11) for validating the maximum attribute > value and implements an 'attr_policy' field (patch 13) into struct > obj_ops to verify maximum attribute lengths when dispatching to specific > object type setters in nftnl_obj_set_data(). > > Patches 1-6 add missing attributes to existing validation arrays. > Patches 7-9 fix for various more or less related bugs. > Patch 10 enables error condition propagation to callers, missing already > for ENOMEM situations and used by following patches. > Patches 11-14 contain the actual implementation announced above. > The remaining patches fix for the other possible cause of invalid data > access, namely callers passing too small buffers. > > To verify this won't break users, I ran nftables' shell testsuite in > nftables versions 0.9.9, 1.0.6 and current HEAD and compared the results > with and without this series applied to libnftnl. > > Phil Sutter (17): > chain: Validate NFTNL_CHAIN_USE, too > table: Validate NFTNL_TABLE_USE, too > flowtable: Validate NFTNL_FLOWTABLE_SIZE, too > obj: Validate NFTNL_OBJ_TYPE, too > set: Validate NFTNL_SET_ID, too > table: Validate NFTNL_TABLE_OWNER, too > obj: Do not call nftnl_obj_set_data() with zero data_len > obj: synproxy: Use memcpy() to handle potentially unaligned data > utils: Fix for wrong variable use in nftnl_assert_validate() > obj: Return value on setters > obj: Repurpose struct obj_ops::max_attr field > obj: Call obj_ops::set with legal attributes only > obj: Introduce struct obj_ops::attr_policy > obj: Enforce attr_policy compliance in nftnl_obj_set_data() > utils: Introduce and use nftnl_set_str_attr() > obj: Respect data_len when setting attributes > expr: Respect data_len when setting attributes Series applied.
