diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-07-20 14:09:34 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-07-20 15:04:47 +0200 |
commit | 367cbfaae87c1f539c729b0653d920701beac3be (patch) | |
tree | 232077cd854cc757784383b56abcde8383b006dd /src/rule.c | |
parent | cac9b26874d60aa17c7cabe46d33e9114b24885d (diff) |
src: stricter netlink attribute length validation
If the kernel sends us different data length for a given attribute,
stop further processing and indicate that an ABI breakage has ocurred.
This is an example of the (hypothetical) message that is shown in that
case:
nf_tables kernel ABI is broken, contact your vendor.
table.c:214 reason: Numerical result out of range
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/rule.c')
-rw-r--r-- | src/rule.c | 48 |
1 files changed, 16 insertions, 32 deletions
@@ -332,34 +332,24 @@ static int nft_rule_parse_attr_cb(const struct nlattr *attr, void *data) switch(type) { case NFTA_RULE_TABLE: case NFTA_RULE_CHAIN: - if (mnl_attr_validate(attr, MNL_TYPE_STRING) < 0) { - perror("mnl_attr_validate"); - return MNL_CB_ERROR; - } + if (mnl_attr_validate(attr, MNL_TYPE_STRING) < 0) + abi_breakage(); break; case NFTA_RULE_HANDLE: - if (mnl_attr_validate(attr, MNL_TYPE_U64) < 0) { - perror("mnl_attr_validate"); - return MNL_CB_ERROR; - } + if (mnl_attr_validate(attr, MNL_TYPE_U64) < 0) + abi_breakage(); break; case NFTA_RULE_COMPAT: - if (mnl_attr_validate(attr, MNL_TYPE_NESTED) < 0) { - perror("mnl_attr_validate"); - return MNL_CB_ERROR; - } + if (mnl_attr_validate(attr, MNL_TYPE_NESTED) < 0) + abi_breakage(); break; case NFTA_RULE_POSITION: - if (mnl_attr_validate(attr, MNL_TYPE_U64) < 0) { - perror("mnl_attr_validate"); - return MNL_CB_ERROR; - } + if (mnl_attr_validate(attr, MNL_TYPE_U64) < 0) + abi_breakage(); break; case NFTA_RULE_USERDATA: - if (mnl_attr_validate(attr, MNL_TYPE_BINARY) < 0) { - perror("mnl_attr_validate"); - return MNL_CB_ERROR; - } + if (mnl_attr_validate(attr, MNL_TYPE_BINARY) < 0) + abi_breakage(); break; } @@ -377,16 +367,12 @@ static int nft_rule_parse_expr_cb(const struct nlattr *attr, void *data) switch(type) { case NFTA_EXPR_NAME: - if (mnl_attr_validate(attr, MNL_TYPE_STRING) < 0) { - perror("mnl_attr_validate"); - return MNL_CB_ERROR; - } + if (mnl_attr_validate(attr, MNL_TYPE_STRING) < 0) + abi_breakage(); break; case NFTA_EXPR_DATA: - if (mnl_attr_validate(attr, MNL_TYPE_NESTED) < 0) { - perror("mnl_attr_validate"); - return MNL_CB_ERROR; - } + if (mnl_attr_validate(attr, MNL_TYPE_NESTED) < 0) + abi_breakage(); break; } @@ -441,10 +427,8 @@ static int nft_rule_parse_compat_cb(const struct nlattr *attr, void *data) switch(type) { case NFTA_RULE_COMPAT_PROTO: case NFTA_RULE_COMPAT_FLAGS: - if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0) { - perror("mnl_attr_validate"); - return MNL_CB_ERROR; - } + if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0) + abi_breakage(); break; } |