diff options
author | Florian Westphal <fw@strlen.de> | 2023-12-21 11:25:14 +0100 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2023-12-22 11:57:46 +0100 |
commit | dcb199544563ded462cb7151134278f82a9e6cfd (patch) | |
tree | b1a1937e32bf5eda4126fb288751fdddb9fbda42 /include/rule.h | |
parent | b9e19cc396347df8c7f8cf5d14ba1d6172040f16 (diff) |
src: do not allow to chain more than 16 binops
netlink_linearize.c has never supported more than 16 chained binops.
Adding more is possible but overwrites the stack in
netlink_gen_bitwise().
Add a recursion counter to catch this at eval stage.
Its not enough to just abort once the counter hits
NFT_MAX_EXPR_RECURSION.
This is because there are valid test cases that exceed this.
For example, evaluation of 1 | 2 will merge the constans, so even
if there are a dozen recursive eval calls this will not end up
with large binop chain post-evaluation.
v2: allow more than 16 binops iff the evaluation function
did constant-merging.
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'include/rule.h')
-rw-r--r-- | include/rule.h | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/include/rule.h b/include/rule.h index 6236d292..6835fe06 100644 --- a/include/rule.h +++ b/include/rule.h @@ -753,10 +753,13 @@ extern void cmd_free(struct cmd *cmd); * @rule: current rule * @set: current set * @stmt: current statement + * @stmt_len: current statement template length + * @recursion: expr evaluation recursion counter * @cache: cache context * @debug_mask: debugging bitmask * @ectx: expression context - * @pctx: payload context + * @_pctx: payload contexts + * @inner_desc: inner header description */ struct eval_ctx { struct nft_ctx *nft; @@ -767,6 +770,7 @@ struct eval_ctx { struct set *set; struct stmt *stmt; uint32_t stmt_len; + uint32_t recursion; struct expr_ctx ectx; struct proto_ctx _pctx[2]; const struct proto_desc *inner_desc; |