* [PATCH][next] netfilter: x_tables: Avoid a couple -Wflex-array-member-not-at-end warnings
@ 2026-04-08 21:27 Gustavo A. R. Silva
0 siblings, 0 replies; only message in thread
From: Gustavo A. R. Silva @ 2026-04-08 21:27 UTC (permalink / raw)
To: Pablo Neira Ayuso, Florian Westphal, Phil Sutter, David S. Miller,
Eric Dumazet, Jakub Kicinski, Paolo Abeni, Simon Horman
Cc: netfilter-devel, coreteam, netdev, linux-kernel,
Gustavo A. R. Silva, linux-hardening
-Wflex-array-member-not-at-end was introduced in GCC-14, and we are
getting ready to enable it, globally.
struct compat_xt_standard_target and struct compat_xt_error_target are
only used in xt_compat_check_entry_offsets(). Remove these structs and
instead define the same memory layout on the stack via flexible struct
compat_xt_entry_target and DEFINE_RAW_FLEX(). Adjust the rest of the
code accordingly.
With these changes, fix the following warnings:
1 net/netfilter/x_tables.c:816:39: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]
1 net/netfilter/x_tables.c:811:39: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
---
net/netfilter/x_tables.c | 30 +++++++++++++-----------------
1 file changed, 13 insertions(+), 17 deletions(-)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index b39017c80548..a58107038a24 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -817,17 +817,6 @@ int xt_compat_match_to_user(const struct xt_entry_match *m,
}
EXPORT_SYMBOL_GPL(xt_compat_match_to_user);
-/* non-compat version may have padding after verdict */
-struct compat_xt_standard_target {
- struct compat_xt_entry_target t;
- compat_uint_t verdict;
-};
-
-struct compat_xt_error_target {
- struct compat_xt_entry_target t;
- char errorname[XT_FUNCTION_MAXNAMELEN];
-};
-
int xt_compat_check_entry_offsets(const void *base, const char *elems,
unsigned int target_offset,
unsigned int next_offset)
@@ -850,18 +839,25 @@ int xt_compat_check_entry_offsets(const void *base, const char *elems,
return -EINVAL;
if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0) {
- const struct compat_xt_standard_target *st = (const void *)t;
+ DEFINE_RAW_FLEX(const struct compat_xt_entry_target, st, data,
+ sizeof(compat_uint_t));
+ compat_uint_t *verdict = (compat_uint_t *)st->data;
- if (COMPAT_XT_ALIGN(target_offset + sizeof(*st)) != next_offset)
+ st = (const void *)t;
+
+ if (COMPAT_XT_ALIGN(target_offset + __struct_size(st)) !=
+ next_offset)
return -EINVAL;
- if (!verdict_ok(st->verdict))
+ if (!verdict_ok(*verdict))
return -EINVAL;
} else if (strcmp(t->u.user.name, XT_ERROR_TARGET) == 0) {
- const struct compat_xt_error_target *et = (const void *)t;
+ DEFINE_RAW_FLEX(const struct compat_xt_entry_target, et, data,
+ XT_FUNCTION_MAXNAMELEN);
+ et = (const void *)t;
- if (!error_tg_ok(t->u.target_size, sizeof(*et),
- et->errorname, sizeof(et->errorname)))
+ if (!error_tg_ok(t->u.target_size, __struct_size(et),
+ et->data, __member_size(et->data)))
return -EINVAL;
}
--
2.43.0
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-04-08 21:28 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-08 21:27 [PATCH][next] netfilter: x_tables: Avoid a couple -Wflex-array-member-not-at-end warnings Gustavo A. R. Silva
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox