From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Alban Crequy <alban.crequy@collabora.co.uk>
Cc: Patrick McHardy <kaber@trash.net>,
Vincent Sanders <vincent.sanders@collabora.co.uk>,
Javier Martinez Canillas <javier.martinez@collabora.co.uk>,
netfilter-devel@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH v2 1/6] netfilter: sanity checks on NFPROTO_NUMPROTO
Date: Mon, 14 May 2012 21:04:16 +0200 [thread overview]
Message-ID: <20120514190416.GD14897@1984> (raw)
In-Reply-To: <20120514170410.6c2f1c5b@rainbow.cbg.collabora.co.uk>
On Mon, May 14, 2012 at 05:04:10PM +0100, Alban Crequy wrote:
> Le Mon, 14 May 2012 16:39:49 +0100,
> Alban Crequy <alban.crequy@collabora.co.uk> a écrit :
>
> > Le Mon, 14 May 2012 16:42:35 +0200,
> > Pablo Neira Ayuso <pablo@netfilter.org> a écrit :
> >
> > > On Mon, May 14, 2012 at 02:56:34PM +0100, Alban Crequy wrote:
> > > > With the NFPROTO_* constants introduced by commit 7e9c6e
> > > > ("netfilter: Introduce NFPROTO_* constants"), it is too easy to
> > > > confuse PF_* and NFPROTO_* constants in new protocols.
> > > >
> > > > Signed-off-by: Alban Crequy <alban.crequy@collabora.co.uk>
> > > > Reviewed-by: Javier Martinez Canillas
> > > > <javier.martinez@collabora.co.uk> Reviewed-by: Vincent Sanders
> > > > <vincent.sanders@collabora.co.uk> ---
> > > > net/netfilter/core.c | 5 +++++
> > > > 1 files changed, 5 insertions(+), 0 deletions(-)
> > > >
> > > > diff --git a/net/netfilter/core.c b/net/netfilter/core.c
> > > > index e1b7e05..4f16552 100644
> > > > --- a/net/netfilter/core.c
> > > > +++ b/net/netfilter/core.c
> > > > @@ -67,6 +67,11 @@ int nf_register_hook(struct nf_hook_ops *reg)
> > > > struct nf_hook_ops *elem;
> > > > int err;
> > > >
> > > > + if (reg->pf >= NFPROTO_NUMPROTO || reg->hooknum >=
> > > > NF_MAX_HOOKS) {
> > > > + BUG();
> > > > + return 1;
> > >
> > > nf_register_hook returns a negative value on error. -EINVAL can be
> > > fine.
> >
> > Is it the patch you mean? Do you want me to do a series repost?
>
> Please disregard the previous patch, this is the correct one.
>
>
> From: Alban Crequy <alban.crequy@collabora.co.uk>
>
> netfilter: sanity checks on NFPROTO_NUMPROTO
>
> With the NFPROTO_* constants introduced by commit 7e9c6e ("netfilter: Introduce
> NFPROTO_* constants"), it is too easy to confuse PF_* and NFPROTO_* constants
> in new protocols.
>
> Signed-off-by: Alban Crequy <alban.crequy@collabora.co.uk>
> ---
> net/netfilter/core.c | 8 ++++++++
> 1 files changed, 8 insertions(+), 0 deletions(-)
>
> diff --git a/net/netfilter/core.c b/net/netfilter/core.c
> index e1b7e05..7422989 100644
> --- a/net/netfilter/core.c
> +++ b/net/netfilter/core.c
> @@ -67,6 +67,14 @@ int nf_register_hook(struct nf_hook_ops *reg)
> struct nf_hook_ops *elem;
> int err;
>
> + if (reg->pf >= NFPROTO_NUMPROTO || reg->hooknum >= NF_MAX_HOOKS) {
> + WARN(reg->pf >= NFPROTO_NUMPROTO,
> + "netfilter: Invalid nfproto %d\n", reg->pf);
> + WARN(reg->hooknum >= NF_MAX_HOOKS,
> + "netfilter: Invalid hooknum %d\n", reg->hooknum);
Then, better add two checkings. One to spot the first warning, and
another to spot the second.
I havent seen such a code in any netfilter code and I like that things
remain consistent.
> + return -EINVAL;
> + }
> +
> err = mutex_lock_interruptible(&nf_hook_mutex);
> if (err < 0)
> return err;
> --
> 1.7.2.5
>
next prev parent reply other threads:[~2012-05-14 19:04 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-14 13:56 [PATCH 1/6] netfilter: sanity checks on NFPROTO_NUMPROTO Alban Crequy
2012-05-14 13:56 ` [PATCH 2/6] netfilter: decnet: switch hook PFs to nfproto Alban Crequy
2012-05-14 14:18 ` David Laight
2012-05-14 14:22 ` Florian Westphal
2012-05-14 14:38 ` Pablo Neira Ayuso
2012-05-14 15:06 ` Jan Engelhardt
2012-05-14 14:45 ` Pablo Neira Ayuso
2012-06-06 0:02 ` Pablo Neira Ayuso
2012-05-14 13:56 ` [PATCH 3/6] netfilter: bridge: " Alban Crequy
2012-06-06 0:03 ` Pablo Neira Ayuso
2012-05-14 13:56 ` [PATCH 4/6] netfilter: ipv4, defrag: " Alban Crequy
2012-06-06 0:03 ` Pablo Neira Ayuso
2012-05-14 13:56 ` [PATCH 5/6] netfilter: ipvs: " Alban Crequy
2012-06-06 0:03 ` Pablo Neira Ayuso
2012-05-14 13:56 ` [PATCH 6/6] netfilter: selinux: " Alban Crequy
2012-06-06 0:03 ` Pablo Neira Ayuso
2012-05-14 14:42 ` [PATCH 1/6] netfilter: sanity checks on NFPROTO_NUMPROTO Pablo Neira Ayuso
2012-05-14 15:39 ` Alban Crequy
2012-05-14 16:04 ` [PATCH v2 " Alban Crequy
2012-05-14 19:04 ` Pablo Neira Ayuso [this message]
2012-05-15 12:32 ` [PATCH v3 " Alban Crequy
2012-05-14 15:00 ` [PATCH " Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120514190416.GD14897@1984 \
--to=pablo@netfilter.org \
--cc=alban.crequy@collabora.co.uk \
--cc=javier.martinez@collabora.co.uk \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=vincent.sanders@collabora.co.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.