Re: [PATCH 3/3] netfilter: nf_tables: enforce NLA_NUL_STRING in strings

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org, fw@strlen.de, kaber@trash.net,
	tgraf@suug.ch
Subject: Re: [PATCH 3/3] netfilter: nf_tables: enforce NLA_NUL_STRING in strings
Date: Mon, 31 Mar 2014 14:15:51 +0200	[thread overview]
Message-ID: <20140331121551.GC4682@breakpoint.cc> (raw)
In-Reply-To: <1396266691-3538-3-git-send-email-pablo@netfilter.org>

Pablo Neira Ayuso <pablo@netfilter.org> wrote:

[cc'd Thomas ]

> nla_strcmp compares the string length plus one, so it's implicitly
> including the nul-termination in the comparison.
> 
>  int nla_strcmp(const struct nlattr *nla, const char *str)
>  {
>         int len = strlen(str) + 1;
>         ...
> 		d = memcmp(nla_data(nla), str, len);

> nla_strcmp compares the string length plus one, so it's implicitly
> including the nul-termination in the comparison.
>  int nla_strcmp(const struct nlattr *nla, const char *str)
>  {
>         int len = strlen(str) + 1;
>         ...
> 		d = memcmp(nla_data(nla), str, len);

[..]

> However, if NLA_STRING is used, userspace can send us a string without
> the null-termination. This is a problem since the nf_tables lookup
> functions won't find any matching as the last byte may mismatch.
> So we have to enforce that strings are nul-termination to avoid
> mismatches.

Looks to me as if the real fix is:

int nla_strcmp(const struct nlattr *nla, const char *str)
{
	return nla_memcmp(nla, str, strlen(str));
}

[ better yet, add static inline wrapper for it ].

next prev parent reply	other threads:[~2014-03-31 12:15 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-03-31 11:51 [PATCH 1/3] netfilter: nf_tables: set names cannot be larger than 15 bytes Pablo Neira Ayuso
2014-03-31 11:51 ` [PATCH 2/3] netfilter: nf_tables: fix wrong format in request_module() Pablo Neira Ayuso
2014-03-31 11:51 ` [PATCH 3/3] netfilter: nf_tables: enforce NLA_NUL_STRING in strings Pablo Neira Ayuso
2014-03-31 12:15   ` Florian Westphal [this message]
2014-03-31 12:46     ` Pablo Neira Ayuso
2014-03-31 13:08       ` Florian Westphal
2014-03-31 14:09         ` Thomas Graf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140331121551.GC4682@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=kaber@trash.net \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=tgraf@suug.ch \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.