From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Phil Sutter <phil@nwl.cc>, netfilter-devel@vger.kernel.org
Subject: Re: [nft PATCH] erec: Sanitize erec location indesc
Date: Tue, 9 Feb 2021 16:50:30 +0100 [thread overview]
Message-ID: <20210209155030.GA16191@salvia> (raw)
In-Reply-To: <20210209141151.GO3158@orbyte.nwl.cc>
On Tue, Feb 09, 2021 at 03:11:51PM +0100, Phil Sutter wrote:
> Hi Pablo,
>
> On Tue, Feb 09, 2021 at 02:15:11PM +0100, Pablo Neira Ayuso wrote:
> > On Wed, Feb 03, 2021 at 11:45:07AM +0100, Phil Sutter wrote:
> > > On Wed, Feb 03, 2021 at 01:38:32AM +0100, Pablo Neira Ayuso wrote:
> > > > On Tue, Jan 26, 2021 at 06:55:02PM +0100, Phil Sutter wrote:
> > > > > erec_print() unconditionally dereferences erec->locations->indesc, so
> > > > > make sure it is valid when either creating an erec or adding a location.
> > > >
> > > > I guess your're trigger a bug where erec is indesc is NULL, thing is
> > > > that indesc should be always set on. Is there a reproducer for this bug?
> > >
> > > Yes, exactly. I hit it when trying to clean up the netdev family reject
> > > support, while just "hacking around". You can trigger it with the
> > > following change:
> > >
> > > | --- a/src/evaluate.c
> > > | +++ b/src/evaluate.c
> > > | @@ -2718,7 +2718,7 @@ static int stmt_evaluate_reject_bridge(struct eval_ctx *ctx, struct stmt *stmt,
> > > | const struct proto_desc *desc;
> > > |
> > > | desc = ctx->pctx.protocol[PROTO_BASE_LL_HDR].desc;
> > > | - if (desc != &proto_eth && desc != &proto_vlan && desc != &proto_netdev)
> > > | + if (desc != &proto_eth && desc != &proto_vlan)
> > > | return stmt_binary_error(ctx,
> > > | &ctx->pctx.protocol[PROTO_BASE_LL_HDR],
> > > | stmt, "unsupported link layer protocol");
> >
> > I'm attaching fix.
> >
> > Looks like call to stmt_binary_error() parameters are not in the right
> > order, &ctx->pctx.protocol[PROTO_BASE_LL_HDR] has indesc.
>
> Thanks for addressing the root problem!
>
> > Probably add a bugtrap to erec to check that indesc is always set on
> > accordingly instead?
>
> Is it better than just sanitizing input to error functions? After all we
> just want to make sure users see the error message, right? Catching
> the programming mistake (wrong args passed to __stmt_binary_error())
> IMHO is useful only if we can compile-time assert it. Otherwise we risk
> hiding error info from user.
I see. I don't see a way to catch this at compile time.
Push out your patch and I'll push mine too for correctness.
next prev parent reply other threads:[~2021-02-09 15:51 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-26 17:55 [nft PATCH] erec: Sanitize erec location indesc Phil Sutter
2021-02-03 0:38 ` Pablo Neira Ayuso
2021-02-03 10:45 ` Phil Sutter
2021-02-09 13:15 ` Pablo Neira Ayuso
2021-02-09 13:22 ` Pablo Neira Ayuso
2021-02-09 14:11 ` Phil Sutter
2021-02-09 15:50 ` Pablo Neira Ayuso [this message]
2021-02-09 15:53 ` Pablo Neira Ayuso
2021-02-09 15:54 ` Pablo Neira Ayuso
2021-02-09 16:01 ` Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210209155030.GA16191@salvia \
--to=pablo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).