[PATCH libnetfilter_conntrack] examples: check return value of nfct_nlmsg

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH libnetfilter_conntrack] examples: check return value of nfct_nlmsg_build()
@ 2021-01-01  9:02 Eyal Birger
  2021-01-03 19:04 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 3+ messages in thread
From: Eyal Birger @ 2021-01-01  9:02 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Eyal Birger

nfct_nlmsg_build() may fail for different reasons, for example if
insufficient parameters exist in the ct object. The resulting nlh would
not contain any of the ct attributes.

Some conntrack operations would still operate in such case, for example
an IPCTNL_MSG_CT_DELETE message would just delete all existing conntrack
entries.

While the example as it is does supply correct parameters, it's safer
as reference to validate the return value.

Signed-off-by: Eyal Birger <eyal.birger@gmail.com>
---
 examples/nfct-mnl-create.c    | 6 +++++-
 examples/nfct-mnl-del.c       | 6 +++++-
 examples/nfct-mnl-get.c       | 6 +++++-
 examples/nfct-mnl-set-label.c | 7 ++++++-
 4 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/examples/nfct-mnl-create.c b/examples/nfct-mnl-create.c
index 64387a7..7fd224d 100644
--- a/examples/nfct-mnl-create.c
+++ b/examples/nfct-mnl-create.c
@@ -60,7 +60,11 @@ int main(void)
 	nfct_set_attr_u8(ct, ATTR_TCP_STATE, TCP_CONNTRACK_SYN_SENT);
 	nfct_set_attr_u32(ct, ATTR_TIMEOUT, 100);
 
-	nfct_nlmsg_build(nlh, ct);
+	ret = nfct_nlmsg_build(nlh, ct);
+	if (ret == -1) {
+		perror("nfct_nlmsg_build");
+		exit(EXIT_FAILURE);
+	}
 
 	ret = mnl_socket_sendto(nl, nlh, nlh->nlmsg_len);
 	if (ret == -1) {
diff --git a/examples/nfct-mnl-del.c b/examples/nfct-mnl-del.c
index 91ad9e4..806d9f8 100644
--- a/examples/nfct-mnl-del.c
+++ b/examples/nfct-mnl-del.c
@@ -55,7 +55,11 @@ int main(void)
 	nfct_set_attr_u16(ct, ATTR_PORT_SRC, htons(20));
 	nfct_set_attr_u16(ct, ATTR_PORT_DST, htons(10));
 
-	nfct_nlmsg_build(nlh, ct);
+	ret = nfct_nlmsg_build(nlh, ct);
+	if (ret == -1) {
+		perror("nfct_nlmsg_build");
+		exit(EXIT_FAILURE);
+	}
 
 	ret = mnl_socket_sendto(nl, nlh, nlh->nlmsg_len);
 	if (ret == -1) {
diff --git a/examples/nfct-mnl-get.c b/examples/nfct-mnl-get.c
index 4858acf..5be3331 100644
--- a/examples/nfct-mnl-get.c
+++ b/examples/nfct-mnl-get.c
@@ -74,7 +74,11 @@ int main(void)
 	nfct_set_attr_u16(ct, ATTR_PORT_SRC, htons(20));
 	nfct_set_attr_u16(ct, ATTR_PORT_DST, htons(10));
 
-	nfct_nlmsg_build(nlh, ct);
+	ret = nfct_nlmsg_build(nlh, ct);
+	if (ret == -1) {
+		perror("nfct_nlmsg_build");
+		exit(EXIT_FAILURE);
+	}
 
 	ret = mnl_socket_sendto(nl, nlh, nlh->nlmsg_len);
 	if (ret == -1) {
diff --git a/examples/nfct-mnl-set-label.c b/examples/nfct-mnl-set-label.c
index c52b267..50bebb0 100644
--- a/examples/nfct-mnl-set-label.c
+++ b/examples/nfct-mnl-set-label.c
@@ -19,6 +19,7 @@ static void set_label(struct nf_conntrack *ct, struct callback_args *cbargs)
 	char buf[MNL_SOCKET_BUFFER_SIZE];
 	struct nlmsghdr *nlh;
 	struct nfgenmsg *nfh;
+	int ret;
 
 	if (b) {
 		if (bit < 0)
@@ -55,7 +56,11 @@ static void set_label(struct nf_conntrack *ct, struct callback_args *cbargs)
 	nfh->version = NFNETLINK_V0;
 	nfh->res_id = 0;
 
-	nfct_nlmsg_build(nlh, ct);
+	ret = nfct_nlmsg_build(nlh, ct);
+	if (ret == -1) {
+		perror("nfct_nlmsg_build");
+		exit(EXIT_FAILURE);
+	}
 
 	if (mnl_socket_sendto(cbargs->nl, nlh, nlh->nlmsg_len) < 0)
 		perror("mnl_socket_sendto");
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH libnetfilter_conntrack] examples: check return value of nfct_nlmsg_build()
  2021-01-01  9:02 [PATCH libnetfilter_conntrack] examples: check return value of nfct_nlmsg_build() Eyal Birger
@ 2021-01-03 19:04 ` Pablo Neira Ayuso
  0 siblings, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2021-01-03 19:04 UTC (permalink / raw)
  To: Eyal Birger; +Cc: netfilter-devel

On Fri, Jan 01, 2021 at 11:02:26AM +0200, Eyal Birger wrote:
> nfct_nlmsg_build() may fail for different reasons, for example if
> insufficient parameters exist in the ct object. The resulting nlh would
> not contain any of the ct attributes.
> 
> Some conntrack operations would still operate in such case, for example
> an IPCTNL_MSG_CT_DELETE message would just delete all existing conntrack
> entries.
> 
> While the example as it is does supply correct parameters, it's safer
> as reference to validate the return value.

Applied, thanks.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH libnetfilter_conntrack] examples: check return value of nfct_nlmsg_build()
@ 2021-01-01  8:58 Eyal Birger
  0 siblings, 0 replies; 3+ messages in thread
From: Eyal Birger @ 2021-01-01  8:58 UTC (permalink / raw)
  To: netfilter; +Cc: Eyal Birger

nfct_nlmsg_build() may fail for different reasons, for example if
insufficient parameters exist in the ct object. The resulting nlh would
not contain any of the ct attributes.

Some conntrack operations would still operate in such case, for example
an IPCTNL_MSG_CT_DELETE message would just delete all existing conntrack
entries.

While the example as it is does supply correct parameters, it's safer
as reference to validate the return value.

Signed-off-by: Eyal Birger <eyal.birger@gmail.com>
---
 examples/nfct-mnl-create.c    | 6 +++++-
 examples/nfct-mnl-del.c       | 6 +++++-
 examples/nfct-mnl-get.c       | 6 +++++-
 examples/nfct-mnl-set-label.c | 7 ++++++-
 4 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/examples/nfct-mnl-create.c b/examples/nfct-mnl-create.c
index 64387a7..7fd224d 100644
--- a/examples/nfct-mnl-create.c
+++ b/examples/nfct-mnl-create.c
@@ -60,7 +60,11 @@ int main(void)
 	nfct_set_attr_u8(ct, ATTR_TCP_STATE, TCP_CONNTRACK_SYN_SENT);
 	nfct_set_attr_u32(ct, ATTR_TIMEOUT, 100);
 
-	nfct_nlmsg_build(nlh, ct);
+	ret = nfct_nlmsg_build(nlh, ct);
+	if (ret == -1) {
+		perror("nfct_nlmsg_build");
+		exit(EXIT_FAILURE);
+	}
 
 	ret = mnl_socket_sendto(nl, nlh, nlh->nlmsg_len);
 	if (ret == -1) {
diff --git a/examples/nfct-mnl-del.c b/examples/nfct-mnl-del.c
index 91ad9e4..806d9f8 100644
--- a/examples/nfct-mnl-del.c
+++ b/examples/nfct-mnl-del.c
@@ -55,7 +55,11 @@ int main(void)
 	nfct_set_attr_u16(ct, ATTR_PORT_SRC, htons(20));
 	nfct_set_attr_u16(ct, ATTR_PORT_DST, htons(10));
 
-	nfct_nlmsg_build(nlh, ct);
+	ret = nfct_nlmsg_build(nlh, ct);
+	if (ret == -1) {
+		perror("nfct_nlmsg_build");
+		exit(EXIT_FAILURE);
+	}
 
 	ret = mnl_socket_sendto(nl, nlh, nlh->nlmsg_len);
 	if (ret == -1) {
diff --git a/examples/nfct-mnl-get.c b/examples/nfct-mnl-get.c
index 4858acf..5be3331 100644
--- a/examples/nfct-mnl-get.c
+++ b/examples/nfct-mnl-get.c
@@ -74,7 +74,11 @@ int main(void)
 	nfct_set_attr_u16(ct, ATTR_PORT_SRC, htons(20));
 	nfct_set_attr_u16(ct, ATTR_PORT_DST, htons(10));
 
-	nfct_nlmsg_build(nlh, ct);
+	ret = nfct_nlmsg_build(nlh, ct);
+	if (ret == -1) {
+		perror("nfct_nlmsg_build");
+		exit(EXIT_FAILURE);
+	}
 
 	ret = mnl_socket_sendto(nl, nlh, nlh->nlmsg_len);
 	if (ret == -1) {
diff --git a/examples/nfct-mnl-set-label.c b/examples/nfct-mnl-set-label.c
index c52b267..50bebb0 100644
--- a/examples/nfct-mnl-set-label.c
+++ b/examples/nfct-mnl-set-label.c
@@ -19,6 +19,7 @@ static void set_label(struct nf_conntrack *ct, struct callback_args *cbargs)
 	char buf[MNL_SOCKET_BUFFER_SIZE];
 	struct nlmsghdr *nlh;
 	struct nfgenmsg *nfh;
+	int ret;
 
 	if (b) {
 		if (bit < 0)
@@ -55,7 +56,11 @@ static void set_label(struct nf_conntrack *ct, struct callback_args *cbargs)
 	nfh->version = NFNETLINK_V0;
 	nfh->res_id = 0;
 
-	nfct_nlmsg_build(nlh, ct);
+	ret = nfct_nlmsg_build(nlh, ct);
+	if (ret == -1) {
+		perror("nfct_nlmsg_build");
+		exit(EXIT_FAILURE);
+	}
 
 	if (mnl_socket_sendto(cbargs->nl, nlh, nlh->nlmsg_len) < 0)
 		perror("mnl_socket_sendto");
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-01-03 19:06 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-01-01  9:02 [PATCH libnetfilter_conntrack] examples: check return value of nfct_nlmsg_build() Eyal Birger
2021-01-03 19:04 ` Pablo Neira Ayuso
  -- strict thread matches above, loose matches on Subject: below --
2021-01-01  8:58 Eyal Birger

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.