From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [RFC nf-next 2/4] netfilter: nf_tables: allow loads only when register is initialized
Date: Mon, 1 Jul 2024 22:31:28 +0200 [thread overview]
Message-ID: <ZoMSIF0jVEe1ro5T@calendula> (raw)
In-Reply-To: <20240627135330.17039-3-fw@strlen.de>
On Thu, Jun 27, 2024 at 03:53:22PM +0200, Florian Westphal wrote:
> @@ -11105,8 +11107,8 @@ static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
> int nft_parse_register_load(const struct nft_ctx *ctx,
> const struct nlattr *attr, u8 *sreg, u32 len)
> {
> - u32 reg;
> - int err;
> + int err, invalid_reg;
> + u32 reg, next_register;
>
> err = nft_parse_register(attr, ®);
> if (err < 0)
> @@ -11116,11 +11118,36 @@ int nft_parse_register_load(const struct nft_ctx *ctx,
> if (err < 0)
> return err;
>
> + next_register = DIV_ROUND_UP(len, NFT_REG32_SIZE) + reg;
> +
> + /* Can't happen: nft_validate_register_load() should have failed */
> + if (WARN_ON_ONCE(next_register > NFT_REG32_NUM))
> + return -EINVAL;
> +
> + /* find first register that did not see an earlier store. */
> + invalid_reg = find_next_zero_bit(ctx->reg_inited, NFT_REG32_NUM, reg);
Is this assuming that register allocation from userspace is done secuencially?
> + /* invalid register within the range that we're loading from? */
> + if (invalid_reg < next_register)
> + return -ENODATA;
> +
> *sreg = reg;
> return 0;
> }
> EXPORT_SYMBOL_GPL(nft_parse_register_load);
next prev parent reply other threads:[~2024-07-01 20:31 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-27 13:53 [RFC nf-next 0/4] nf_tables: remove explicit register zeroing Florian Westphal
2024-06-27 13:53 ` [RFC nf-next 1/4] netfilter: nf_tables: pass context structure to nft_parse_register_load Florian Westphal
2024-06-27 13:53 ` [RFC nf-next 2/4] netfilter: nf_tables: allow loads only when register is initialized Florian Westphal
2024-07-01 20:31 ` Pablo Neira Ayuso [this message]
2024-07-01 22:16 ` Florian Westphal
2024-06-27 13:53 ` [RFC nf-next 3/4] netfilter: nf_tables: insert register zeroing instructions for dodgy chains Florian Westphal
2024-07-01 20:30 ` Pablo Neira Ayuso
2024-07-01 22:18 ` Florian Westphal
2024-07-01 22:32 ` Pablo Neira Ayuso
2024-06-27 13:53 ` [RFC nf-next 4/4] netfilter: nf_tables: don't initialize registers in nft_do_chain() Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZoMSIF0jVEe1ro5T@calendula \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.