All of lore.kernel.org
 help / color / mirror / Atom feed
From: Florian Westphal <fw@strlen.de>
To: Liping Zhang <zlpnobody@gmail.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
	Liping Zhang <zlpnobody@163.com>,
	Netfilter Developer Mailing List
	<netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH nf] netfilter: nf_tables: report error if stateful obj's name is truncated
Date: Thu, 19 Jan 2017 16:22:40 +0100	[thread overview]
Message-ID: <20170119152240.GC16765@breakpoint.cc> (raw)
In-Reply-To: <CAML_gOc=0wpF9ERvvC5Vp3ncMdijrt9hOkSci1tc4tMUoR2uQg@mail.gmail.com>

Liping Zhang <zlpnobody@gmail.com> wrote:
> > At quick glance, I can see other spots lacking this validation:
> >
> > static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] =
> > {
> >         [NFTA_CHAIN_TABLE]      = { .type = NLA_STRING },
> >
> > Probably review and fix them in one go?
> 
> The nft table name's size is limited at this place:
> static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
>         [NFTA_TABLE_NAME] = { .type = NLA_STRING,
>                                                    .len =
> NFT_TABLE_MAXNAMELEN - 1 },
> 
> If NFTA_CHAIN_TABLE's size exceeded 31, nf_tables_table_lookup will
> fail eventually.
> 
> So I think adding the validation of NFTA_CHAIN_TABLE's size is not
> important.

Perhaps but its better to have it anyway so that you don't need this
extra context to understand that its limited in practice.

  reply	other threads:[~2017-01-19 16:34 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-01-19 14:00 [PATCH nf] netfilter: nf_tables: report error if stateful obj's name is truncated Liping Zhang
2017-01-19 14:09 ` Pablo Neira Ayuso
2017-01-19 14:41   ` Liping Zhang
2017-01-19 15:22     ` Florian Westphal [this message]
2017-01-19 15:55     ` Patrick PIGNOL
2017-01-21 11:47     ` Patrick PIGNOL

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170119152240.GC16765@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=zlpnobody@163.com \
    --cc=zlpnobody@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.