From 13f42a71e49164769a98fc51033c65a211861404 Mon Sep 17 00:00:00 2001 From: Jozsef Kadlecsik Date: Thu, 20 Jan 2011 17:54:26 +0100 Subject: Enforce network-order data in the netlink protocol Allow only network-order data, with NLA_F_NET_BYTEORDER flag. Sanity checks also added to prevent processing broken messages where mandatory attributes are missing. (Patrick McHardy's review) --- kernel/include/linux/netfilter/ipset/ip_set.h | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) (limited to 'kernel/include') diff --git a/kernel/include/linux/netfilter/ipset/ip_set.h b/kernel/include/linux/netfilter/ipset/ip_set.h index 7679b33..61b08f1 100644 --- a/kernel/include/linux/netfilter/ipset/ip_set.h +++ b/kernel/include/linux/netfilter/ipset/ip_set.h @@ -320,15 +320,14 @@ extern int ip_set_test(ip_set_id_t id, const struct sk_buff *skb, /* Utility functions */ extern void * ip_set_alloc(size_t size, gfp_t gfp_mask); extern void ip_set_free(void *members); -extern int ip_set_get_ipaddr4(struct nlattr *attr[], int type, __be32 *ipaddr); -extern int ip_set_get_ipaddr6(struct nlattr *attr[], int type, - union nf_inet_addr *ipaddr); +extern int ip_set_get_ipaddr4(struct nlattr *nla, __be32 *ipaddr); +extern int ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr); static inline int -ip_set_get_hostipaddr4(struct nlattr *attr[], int type, u32 *ipaddr) +ip_set_get_hostipaddr4(struct nlattr *nla, u32 *ipaddr) { __be32 ip; - int ret = ip_set_get_ipaddr4(attr, type, &ip); + int ret = ip_set_get_ipaddr4(nla, &ip); if (ret) return ret; @@ -343,6 +342,19 @@ ip_set_eexist(int ret, u32 flags) return ret == -IPSET_ERR_EXIST && (flags & IPSET_FLAG_EXIST); } +/* Check the NLA_F_NET_BYTEORDER flag */ +static inline bool +ip_set_attr_netorder(struct nlattr *tb[], int type) +{ + return tb[type] && (tb[type]->nla_type & NLA_F_NET_BYTEORDER); +} + +static inline bool +ip_set_optattr_netorder(struct nlattr *tb[], int type) +{ + return !tb[type] || (tb[type]->nla_type & NLA_F_NET_BYTEORDER); +} + /* Useful converters */ static inline u32 ip_set_get_h32(const struct nlattr *attr) -- cgit v1.2.3