[PATCH nft 1/2] cache: prepare nft_cache_evaluate() to return error

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH nft 1/2] cache: prepare nft_cache_evaluate() to return error
@ 2022-07-18 15:02 Pablo Neira Ayuso
  2022-07-18 15:02 ` [PATCH nft 2/2] cache: validate handle string length Pablo Neira Ayuso
  0 siblings, 1 reply; 2+ messages in thread
From: Pablo Neira Ayuso @ 2022-07-18 15:02 UTC (permalink / raw)
  To: netfilter-devel

Move flags as parameter reference and add list of error messages to prepare
for sanity checks.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/cache.h   | 5 +++--
 src/cache.c       | 8 +++++---
 src/libnftables.c | 5 ++++-
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/include/cache.h b/include/cache.h
index b6c7d48bfba6..575381ef971b 100644
--- a/include/cache.h
+++ b/include/cache.h
@@ -65,8 +65,9 @@ struct nft_cache_filter {
 struct nft_cache;
 enum cmd_ops;
 
-unsigned int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds,
-				struct nft_cache_filter *filter);
+int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds,
+		       struct list_head *msgs, struct nft_cache_filter *filter,
+		       unsigned int *flags);
 int nft_cache_update(struct nft_ctx *ctx, enum cmd_ops cmd,
 		     struct list_head *msgs,
 		     const struct nft_cache_filter *filter);
diff --git a/src/cache.c b/src/cache.c
index b6ae2310b175..9e2fe950a884 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -262,8 +262,9 @@ static unsigned int evaluate_cache_list(struct nft_ctx *nft, struct cmd *cmd,
 	return flags;
 }
 
-unsigned int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds,
-				struct nft_cache_filter *filter)
+int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds,
+		       struct list_head *msgs, struct nft_cache_filter *filter,
+		       unsigned int *pflags)
 {
 	unsigned int flags = NFT_CACHE_EMPTY;
 	struct cmd *cmd;
@@ -318,8 +319,9 @@ unsigned int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds,
 			break;
 		}
 	}
+	*pflags = flags;
 
-	return flags;
+	return 0;
 }
 
 void table_cache_add(struct table *table, struct nft_cache *cache)
diff --git a/src/libnftables.c b/src/libnftables.c
index f2a1ef04e80b..a376825d7309 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -506,7 +506,10 @@ static int nft_evaluate(struct nft_ctx *nft, struct list_head *msgs,
 	int err = 0;
 
 	filter = nft_cache_filter_init();
-	flags = nft_cache_evaluate(nft, cmds, filter);
+	if (nft_cache_evaluate(nft, cmds, msgs, filter, &flags) < 0) {
+		nft_cache_filter_fini(filter);
+		return -1;
+	}
 	if (nft_cache_update(nft, flags, msgs, filter) < 0) {
 		nft_cache_filter_fini(filter);
 		return -1;
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* [PATCH nft 2/2] cache: validate handle string length
  2022-07-18 15:02 [PATCH nft 1/2] cache: prepare nft_cache_evaluate() to return error Pablo Neira Ayuso
@ 2022-07-18 15:02 ` Pablo Neira Ayuso
  0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2022-07-18 15:02 UTC (permalink / raw)
  To: netfilter-devel

Maximum supported string length for handle is NFT_NAME_MAXLEN, report an
error if user is exceeding this limit.

By validating from the cache evaluation phase, both the native and json
parsers handle input are validated.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/cache.c | 106 +++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 104 insertions(+), 2 deletions(-)

diff --git a/src/cache.c b/src/cache.c
index 9e2fe950a884..8cae35deb90a 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -16,6 +16,7 @@
 #include <mnl.h>
 #include <libnftnl/chain.h>
 #include <linux/netfilter.h>
+#include <linux/netfilter/nf_tables.h>
 
 static unsigned int evaluate_cache_add(struct cmd *cmd, unsigned int flags)
 {
@@ -262,6 +263,107 @@ static unsigned int evaluate_cache_list(struct nft_ctx *nft, struct cmd *cmd,
 	return flags;
 }
 
+static int nft_cmd_validate(const struct cmd *cmd, struct list_head *msgs)
+{
+	const struct handle *h = &cmd->handle;
+	const struct location *loc;
+
+	switch (cmd->obj) {
+	case CMD_OBJ_TABLE:
+		if (h->table.name &&
+		    strlen(h->table.name) > NFT_NAME_MAXLEN) {
+			loc = &h->table.location;
+			goto err_name_too_long;
+		}
+		break;
+	case CMD_OBJ_RULE:
+	case CMD_OBJ_CHAIN:
+	case CMD_OBJ_CHAINS:
+		if (strlen(h->table.name) > NFT_NAME_MAXLEN) {
+			loc = &h->table.location;
+			goto err_name_too_long;
+		}
+		if (h->chain.name &&
+		    strlen(h->chain.name) > NFT_NAME_MAXLEN) {
+			loc = &h->chain.location;
+			goto err_name_too_long;
+		}
+		break;
+	case CMD_OBJ_ELEMENTS:
+	case CMD_OBJ_SET:
+	case CMD_OBJ_SETS:
+	case CMD_OBJ_MAP:
+	case CMD_OBJ_MAPS:
+	case CMD_OBJ_METER:
+	case CMD_OBJ_METERS:
+		if (h->table.name &&
+		    strlen(h->table.name) > NFT_NAME_MAXLEN) {
+			loc = &h->table.location;
+			goto err_name_too_long;
+		}
+		if (h->set.name &&
+		    strlen(h->set.name) > NFT_NAME_MAXLEN) {
+			loc = &h->set.location;
+			goto err_name_too_long;
+		}
+		break;
+	case CMD_OBJ_FLOWTABLE:
+	case CMD_OBJ_FLOWTABLES:
+		if (h->table.name &&
+		    strlen(h->table.name) > NFT_NAME_MAXLEN) {
+			loc = &h->table.location;
+			goto err_name_too_long;
+		}
+		if (cmd->handle.flowtable.name &&
+		    strlen(cmd->handle.flowtable.name) > NFT_NAME_MAXLEN) {
+			loc = &h->flowtable.location;
+			goto err_name_too_long;
+		}
+		break;
+	case CMD_OBJ_INVALID:
+	case CMD_OBJ_EXPR:
+	case CMD_OBJ_RULESET:
+	case CMD_OBJ_MARKUP:
+	case CMD_OBJ_MONITOR:
+	case CMD_OBJ_SETELEMS:
+	case CMD_OBJ_HOOKS:
+		break;
+	case CMD_OBJ_COUNTER:
+	case CMD_OBJ_COUNTERS:
+	case CMD_OBJ_QUOTA:
+	case CMD_OBJ_QUOTAS:
+	case CMD_OBJ_LIMIT:
+	case CMD_OBJ_LIMITS:
+	case CMD_OBJ_SECMARK:
+	case CMD_OBJ_SECMARKS:
+	case CMD_OBJ_SYNPROXY:
+	case CMD_OBJ_SYNPROXYS:
+	case CMD_OBJ_CT_HELPER:
+	case CMD_OBJ_CT_HELPERS:
+	case CMD_OBJ_CT_TIMEOUT:
+	case CMD_OBJ_CT_EXPECT:
+		if (h->table.name &&
+		    strlen(h->table.name) > NFT_NAME_MAXLEN) {
+			loc = &h->table.location;
+			goto err_name_too_long;
+		}
+		if (h->obj.name &&
+		    strlen(h->obj.name) > NFT_NAME_MAXLEN) {
+			loc = &h->obj.location;
+			goto err_name_too_long;
+		}
+		break;
+	}
+
+	return 0;
+
+err_name_too_long:
+	erec_queue(error(loc, "name too long, %d characters maximum allowed",
+			 NFT_NAME_MAXLEN),
+		   msgs);
+	return -1;
+}
+
 int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds,
 		       struct list_head *msgs, struct nft_cache_filter *filter,
 		       unsigned int *pflags)
@@ -270,8 +372,8 @@ int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds,
 	struct cmd *cmd;
 
 	list_for_each_entry(cmd, cmds, list) {
-		if (filter->list.table && cmd->op != CMD_LIST)
-			memset(&filter->list, 0, sizeof(filter->list));
+		if (nft_cmd_validate(cmd, msgs) < 0)
+			return -1;
 
 		switch (cmd->op) {
 		case CMD_ADD:
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2022-07-18 15:02 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-07-18 15:02 [PATCH nft 1/2] cache: prepare nft_cache_evaluate() to return error Pablo Neira Ayuso
2022-07-18 15:02 ` [PATCH nft 2/2] cache: validate handle string length Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).