From 367cbfaae87c1f539c729b0653d920701beac3be Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sun, 20 Jul 2014 14:09:34 +0200
Subject: src: stricter netlink attribute length validation

If the kernel sends us different data length for a given attribute,
stop further processing and indicate that an ABI breakage has ocurred.
This is an example of the (hypothetical) message that is shown in that
case:

 nf_tables kernel ABI is broken, contact your vendor.
 table.c:214 reason: Numerical result out of range

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/chain.c | 36 ++++++++++++------------------------
 1 file changed, 12 insertions(+), 24 deletions(-)

(limited to 'src/chain.c')

diff --git a/src/chain.c b/src/chain.c
index ad9da51..a056bab 100644
--- a/src/chain.c
+++ b/src/chain.c
@@ -385,30 +385,22 @@ static int nft_chain_parse_attr_cb(const struct nlattr *attr, void *data)
 	case NFTA_CHAIN_NAME:
 	case NFTA_CHAIN_TABLE:
 	case NFTA_CHAIN_TYPE:
-		if (mnl_attr_validate(attr, MNL_TYPE_STRING) < 0) {
-			perror("mnl_attr_validate");
-			return MNL_CB_ERROR;
-		}
+		if (mnl_attr_validate(attr, MNL_TYPE_STRING) < 0)
+			abi_breakage();
 		break;
 	case NFTA_CHAIN_HOOK:
 	case NFTA_CHAIN_COUNTERS:
-		if (mnl_attr_validate(attr, MNL_TYPE_NESTED) < 0) {
-			perror("mnl_attr_validate");
-			return MNL_CB_ERROR;
-		}
+		if (mnl_attr_validate(attr, MNL_TYPE_NESTED) < 0)
+			abi_breakage();
 		break;
 	case NFTA_CHAIN_POLICY:
 	case NFTA_CHAIN_USE:
-		if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0) {
-			perror("mnl_attr_validate");
-			return MNL_CB_ERROR;
-		}
+		if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
+			abi_breakage();
 		break;
 	case NFTA_CHAIN_HANDLE:
-		if (mnl_attr_validate(attr, MNL_TYPE_U64) < 0) {
-			perror("mnl_attr_validate");
-			return MNL_CB_ERROR;
-		}
+		if (mnl_attr_validate(attr, MNL_TYPE_U64) < 0)
+			abi_breakage();
 		break;
 	}
 
@@ -427,10 +419,8 @@ static int nft_chain_parse_counters_cb(const struct nlattr *attr, void *data)
 	switch(type) {
 	case NFTA_COUNTER_BYTES:
 	case NFTA_COUNTER_PACKETS:
-		if (mnl_attr_validate(attr, MNL_TYPE_U64) < 0) {
-			perror("mnl_attr_validate");
-			return MNL_CB_ERROR;
-		}
+		if (mnl_attr_validate(attr, MNL_TYPE_U64) < 0)
+			abi_breakage();
 		break;
 	}
 
@@ -467,10 +457,8 @@ static int nft_chain_parse_hook_cb(const struct nlattr *attr, void *data)
 	switch(type) {
 	case NFTA_HOOK_HOOKNUM:
 	case NFTA_HOOK_PRIORITY:
-		if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0) {
-			perror("mnl_attr_validate");
-			return MNL_CB_ERROR;
-		}
+		if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
+			abi_breakage();
 		break;
 	}
 
-- 
cgit v1.2.3