From: "Álvaro Neira Ayuso" <alvaroneay@gmail.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org, kaber@trash.net
Subject: Re: [nft PATCH 1/4 v2] evaluate: fix a crash if we specify ether type or meta nfproto in reject
Date: Fri, 17 Oct 2014 15:44:18 +0200 [thread overview]
Message-ID: <54411D32.3050803@gmail.com> (raw)
In-Reply-To: <20141017133817.GA4163@salvia>
El 17/10/14 15:38, Pablo Neira Ayuso escribió:
> On Fri, Oct 17, 2014 at 03:02:07PM +0200, Álvaro Neira Ayuso wrote:
>> El 17/10/14 14:55, Pablo Neira Ayuso escribió:
>>> On Fri, Oct 17, 2014 at 02:24:34PM +0200, Alvaro Neira Ayuso wrote:
>>>> If we use a rule:
>>>> nft add rule bridge filter input \
>>>> ether type ip reject with icmp type host-unreachable
>>>>
>>>> or this:
>>>>
>>>> nft add rule inet filter input \
>>>> meta nfproto ipv4 reject with icmp type host-unreachable
>>>>
>>>> we have a segfault because we add a network dependency when we already have
>>>> network context.
>>>>
>>>> Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
>>>> ---
>>>> [changes in v2]
>>>> * Fixed a incorrect refactor when we check the family in bridge
>>>>
>>>> src/evaluate.c | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++-
>>>> 1 file changed, 56 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/src/evaluate.c b/src/evaluate.c
>>>> index 83ef749..4b7bda9 100644
>>>> --- a/src/evaluate.c
>>>> +++ b/src/evaluate.c
>>>> @@ -19,6 +19,7 @@
>>>> #include <linux/netfilter/nf_tables.h>
>>>> #include <netinet/ip_icmp.h>
>>>> #include <netinet/icmp6.h>
>>>> +#include <net/ethernet.h>
>>>>
>>>> #include <expression.h>
>>>> #include <statement.h>
>>>> @@ -1193,6 +1194,8 @@ static int stmt_reject_gen_dependency(struct eval_ctx *ctx, struct stmt *stmt,
>>>> BUG("cannot generate reject dependency for type %d",
>>>> stmt->reject.type);
>>>> }
>>>> + if (payload == NULL)
>>>> + return 0;
>>>
>>> Why this check?
>>
>> If we already have context, the previously functions return a NULL
>> payload. Therefore, if we try to create a dependency with this NULL
>> payload, we have a crash.
>
> I prefer if you can change the return value logic in
> reject_payload_gen_dependency*() to:
>
> 1: payload dependency was created
> 0: no payload dependency needed
> -1: error
>
> See patch attached.
>
Nice idea. Looks good to me.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
prev parent reply other threads:[~2014-10-17 13:44 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-17 12:24 [nft PATCH 1/4 v2] evaluate: fix a crash if we specify ether type or meta nfproto in reject Alvaro Neira Ayuso
2014-10-17 12:24 ` [nft PATCH 2/4 v2] evaluate: fix a crash if we check the transport protocol Alvaro Neira Ayuso
2014-10-20 8:59 ` Pablo Neira Ayuso
2014-10-20 9:40 ` Álvaro Neira Ayuso
2014-10-20 9:46 ` Pablo Neira Ayuso
2014-10-20 9:50 ` Álvaro Neira Ayuso
2014-10-17 12:24 ` [nft PATCH 3/4 v2] delinearize: list the icmpx reason with the string associated Alvaro Neira Ayuso
2014-10-17 12:58 ` Pablo Neira Ayuso
2014-10-17 12:24 ` [nft PATCH 4/4 v2] test: update and add the reject tests for ip, ip6, bridge and inet Alvaro Neira Ayuso
2014-10-17 12:55 ` [nft PATCH 1/4 v2] evaluate: fix a crash if we specify ether type or meta nfproto in reject Pablo Neira Ayuso
2014-10-17 13:02 ` Álvaro Neira Ayuso
2014-10-17 13:38 ` Pablo Neira Ayuso
2014-10-17 13:44 ` Álvaro Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54411D32.3050803@gmail.com \
--to=alvaroneay@gmail.com \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.