From: Phil Sutter <phil@nwl.cc>
To: Florian Westphal <fw@strlen.de>, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH iptables] extensions: libebt_stp: fix range checking
Date: Thu, 25 Jan 2024 15:44:21 +0100 [thread overview]
Message-ID: <ZbJzxRvG7afyu4e8@orbyte.nwl.cc> (raw)
In-Reply-To: <ZbE3OUiDlnf7A7kI@orbyte.nwl.cc>
On Wed, Jan 24, 2024 at 05:13:45PM +0100, Phil Sutter wrote:
> On Wed, Jan 24, 2024 at 04:42:16PM +0100, Florian Westphal wrote:
> > Phil Sutter <phil@nwl.cc> wrote:
> > > While you correctly hate the game instead of its player, you probably
> > > hate the wrong game: The code above indeed is confusing. Maybe one
> > > should move that monotonicity check into libxtables which should
> > > simplify it quite a bit. I'll have a look. :)
> >
> > Something IS broken. Still not working on FC 39 test machine
> > even after fresh clone.
> >
> > On a "working" VM:
> > export XTABLES_LIBDIR=$(pwd)/extensions
> > iptables/xtables-nft-multi ebtables -A INPUT --stp-root-cost 1
> > have 1 32765
> >
> > @@ -150,7 +151,9 @@ static void brstp_parse(struct xt_option_call *cb)
> > RANGE_ASSIGN("root-prio", root_prio, cb->val.u16_range);
> > break;
> > case O_RCOST:
> > + fprintf(stderr, "have %u %u\n", cb->val.u32_range[0], cb->val.u32_range[1]);
> >
> > I can't even figure out where the correct max value is supposed to be set.
> >
> > Varying the input:
> >
> > xtables-nft-multi ebtables -A INPUT --stp-root-cost 1
> > have 1 32764
> >
> > Looks to me as if the upper value is undefined.
> >
> > Other users of *RC versions handle it in .parse, e.g. libxt_length.
> > No idea how this is working.
>
> In xtopt_parse_mint(), there is:
>
> | const uintmax_t lmax = xtopt_max_by_type(entry->type);
> | [...]
> | if (*arg == '\0' || *arg == sep) {
> | /* Default range components when field not spec'd. */
> | end = (char *)arg;
> | value = (cb->nvals == 1) ? lmax : 0;
>
> But that branch appears to be dead code. So this is indeed a bug and a
> specific build may or may not hit it as your experience shows. I'll see
> how xtopt_parse_mint() can be fixed.
The big elucidation was the code is called only for ranges and somehow I
managed to miss the point that your sample command doesn't contain a
range in the first place.
So while I still think it makes sense to have the 'low <= high' check
done by the parser, I applied your patch for now as it indeed fixes that
bug in libebt_stp extension parser. Sorry for all the confusion I must
have caused. :(
Meanwhile I've added test cases for ranges in various formats which
uncovered quite a few things to fix.
Thanks, Phil
prev parent reply other threads:[~2024-01-25 14:44 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-23 16:49 [PATCH iptables] extensions: libebt_stp: fix range checking Florian Westphal
2024-01-24 14:00 ` Phil Sutter
2024-01-24 14:37 ` Florian Westphal
2024-01-24 14:57 ` Phil Sutter
2024-01-24 15:42 ` Florian Westphal
2024-01-24 16:13 ` Phil Sutter
2024-01-25 14:44 ` Phil Sutter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZbJzxRvG7afyu4e8@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.