[PATCH nft] parser_bison: bail out on too long names

[PATCH nft] parser_bison: bail out on too long names

[Pablo Neira Ayuso]

If user specifies a too long object name, bail out.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/parser_bison.y | 93 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 93 insertions(+)

diff --git a/src/parser_bison.y b/src/parser_bison.y
index ae14eb1a690b..c1ca15b49b81 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1533,6 +1533,13 @@ basehook_spec		:	ruleset_spec
 			|	ruleset_spec    basehook_device_name
 			{
 				if ($2) {
+					if (strlen($2) > NFT_NAME_MAXLEN) {
+						erec_queue(error(&@2, "name too long, %d characters maximum allowed",
+								 NFT_NAME_MAXLEN),
+							   state->msgs);
+						xfree($2);
+						YYERROR;
+					}
 					$1.obj.name = $2;
 					$1.obj.location = @2;
 				}
@@ -2597,6 +2604,13 @@ table_spec		:	family_spec	identifier
 				$$.family	= $1;
 				$$.table.location = @2;
 				$$.table.name	= $2;
+				if (strlen($2) > NFT_NAME_MAXLEN) {
+					erec_queue(error(&@2, "name too long, %d characters maximum allowed",
+							 NFT_NAME_MAXLEN),
+						   state->msgs);
+					xfree($2);
+					YYERROR;
+				}
 			}
 			;
 
@@ -2614,6 +2628,13 @@ chain_spec		:	table_spec	identifier
 				$$		= $1;
 				$$.chain.name	= $2;
 				$$.chain.location = @2;
+				if (strlen($2) > NFT_NAME_MAXLEN) {
+					erec_queue(error(&@2, "name too long, %d characters maximum allowed",
+							 NFT_NAME_MAXLEN),
+						   state->msgs);
+					xfree($2);
+					YYERROR;
+				}
 			}
 			;
 
@@ -2630,6 +2651,13 @@ chain_identifier	:	identifier
 				memset(&$$, 0, sizeof($$));
 				$$.chain.name		= $1;
 				$$.chain.location	= @1;
+				if (strlen($1) > NFT_NAME_MAXLEN) {
+					erec_queue(error(&@1, "name too long, %d characters maximum allowed",
+							 NFT_NAME_MAXLEN),
+						   state->msgs);
+					xfree($1);
+					YYERROR;
+				}
 			}
 			;
 
@@ -2638,6 +2666,13 @@ set_spec		:	table_spec	identifier
 				$$		= $1;
 				$$.set.name	= $2;
 				$$.set.location	= @2;
+				if (strlen($$.set.name) > NFT_NAME_MAXLEN) {
+					erec_queue(error(&@2, "name too long, %d characters maximum allowed",
+							 NFT_NAME_MAXLEN),
+						   state->msgs);
+					xfree($2);
+					YYERROR;
+				}
 			}
 			;
 
@@ -2654,6 +2689,13 @@ set_identifier		:	identifier
 				memset(&$$, 0, sizeof($$));
 				$$.set.name	= $1;
 				$$.set.location	= @1;
+				if (strlen($$.set.name) > NFT_NAME_MAXLEN) {
+					erec_queue(error(&@1, "name too long, %d characters maximum allowed",
+							 NFT_NAME_MAXLEN),
+						   state->msgs);
+					xfree($1);
+					YYERROR;
+				}
 			}
 			;
 
@@ -2662,6 +2704,13 @@ flowtable_spec		:	table_spec	identifier
 				$$			= $1;
 				$$.flowtable.name	= $2;
 				$$.flowtable.location	= @2;
+				if (strlen($2) > NFT_NAME_MAXLEN) {
+					erec_queue(error(&@2, "name too long, %d characters maximum allowed",
+							 NFT_NAME_MAXLEN),
+						   state->msgs);
+					xfree($2);
+					YYERROR;
+				}
 			}
 			;
 
@@ -2678,6 +2727,13 @@ flowtable_identifier	:	identifier
 				memset(&$$, 0, sizeof($$));
 				$$.flowtable.name	= $1;
 				$$.flowtable.location	= @1;
+				if (strlen($1) > NFT_NAME_MAXLEN) {
+					erec_queue(error(&@1, "name too long, %d characters maximum allowed",
+							 NFT_NAME_MAXLEN),
+						   state->msgs);
+					xfree($1);
+					YYERROR;
+				}
 			}
 			;
 
@@ -2686,6 +2742,13 @@ obj_spec		:	table_spec	identifier
 				$$		= $1;
 				$$.obj.name	= $2;
 				$$.obj.location	= @2;
+				if (strlen($2) > NFT_NAME_MAXLEN) {
+					erec_queue(error(&@2, "name too long, %d characters maximum allowed",
+							 NFT_NAME_MAXLEN),
+						   state->msgs);
+					xfree($2);
+					YYERROR;
+				}
 			}
 			;
 
@@ -2702,6 +2765,13 @@ obj_identifier		:	identifier
 				memset(&$$, 0, sizeof($$));
 				$$.obj.name		= $1;
 				$$.obj.location		= @1;
+				if (strlen($1) > NFT_NAME_MAXLEN) {
+					erec_queue(error(&@1, "name too long, %d characters maximum allowed",
+							 NFT_NAME_MAXLEN),
+						   state->msgs);
+					xfree($1);
+					YYERROR;
+				}
 			}
 			;
 
@@ -3980,6 +4050,13 @@ flow_stmt_opts		:	flow_stmt_opt
 flow_stmt_opt		:	TABLE			identifier
 			{
 				$<stmt>0->meter.name = $2;
+				if (strlen($2) > NFT_NAME_MAXLEN) {
+					erec_queue(error(&@2, "name too long, %d characters maximum allowed",
+							 NFT_NAME_MAXLEN),
+						   state->msgs);
+					xfree($2);
+					YYERROR;
+				}
 			}
 			;
 
@@ -3991,6 +4068,14 @@ meter_stmt_alloc	:	METER	identifier		'{' meter_key_expr stmt '}'
 				$$->meter.key  = $4;
 				$$->meter.stmt = $5;
 				$$->location  = @$;
+
+				if (strlen($2) > NFT_NAME_MAXLEN) {
+					erec_queue(error(&@2, "name too long, %d characters maximum allowed",
+							 NFT_NAME_MAXLEN),
+						   state->msgs);
+					xfree($2);
+					YYERROR;
+				}
 			}
 			|	METER	identifier	SIZE	NUM	'{' meter_key_expr stmt '}'
 			{
@@ -4000,6 +4085,14 @@ meter_stmt_alloc	:	METER	identifier		'{' meter_key_expr stmt '}'
 				$$->meter.key  = $6;
 				$$->meter.stmt = $7;
 				$$->location  = @$;
+
+				if (strlen($2) > NFT_NAME_MAXLEN) {
+					erec_queue(error(&@2, "name too long, %d characters maximum allowed",
+							 NFT_NAME_MAXLEN),
+						   state->msgs);
+					xfree($2);
+					YYERROR;
+				}
 			}
 			;
 
-- 
2.30.2

Re: [PATCH nft] parser_bison: bail out on too long names

[Phil Sutter]

Hi,

On Sat, Jul 16, 2022 at 10:05:49AM +0200, Pablo Neira Ayuso wrote:
> If user specifies a too long object name, bail out.

Shouldn't this be done in eval phase or so? As-is, this patch introduces
a standard syntax-specific limitation people may circumvent using JSON,
no?

Cheers, Phil

Re: [PATCH nft] parser_bison: bail out on too long names

[Pablo Neira Ayuso]

On Sat, Jul 16, 2022 at 01:56:28PM +0200, Phil Sutter wrote:
> Hi,
> 
> On Sat, Jul 16, 2022 at 10:05:49AM +0200, Pablo Neira Ayuso wrote:
> > If user specifies a too long object name, bail out.
> 
> Shouldn't this be done in eval phase or so? As-is, this patch introduces
> a standard syntax-specific limitation people may circumvent using JSON,
> no?

I can do it from eval phase. I will have to add more eval functions
though, because eval is not always called from for every command.

Re: [PATCH nft] parser_bison: bail out on too long names

[Phil Sutter]

On Mon, Jul 18, 2022 at 01:32:30PM +0200, Pablo Neira Ayuso wrote:
> On Sat, Jul 16, 2022 at 01:56:28PM +0200, Phil Sutter wrote:
> > Hi,
> > 
> > On Sat, Jul 16, 2022 at 10:05:49AM +0200, Pablo Neira Ayuso wrote:
> > > If user specifies a too long object name, bail out.
> > 
> > Shouldn't this be done in eval phase or so? As-is, this patch introduces
> > a standard syntax-specific limitation people may circumvent using JSON,
> > no?
> 
> I can do it from eval phase. I will have to add more eval functions
> though, because eval is not always called from for every command.

All I'm saying is we shouldn't divert in between the two parsers. Why is
limiting the max name length required, BTW?

Cheers, Phil

Re: [PATCH nft] parser_bison: bail out on too long names

[Pablo Neira Ayuso]

On Mon, Jul 18, 2022 at 03:15:05PM +0200, Phil Sutter wrote:
> On Mon, Jul 18, 2022 at 01:32:30PM +0200, Pablo Neira Ayuso wrote:
> > On Sat, Jul 16, 2022 at 01:56:28PM +0200, Phil Sutter wrote:
> > > Hi,
> > > 
> > > On Sat, Jul 16, 2022 at 10:05:49AM +0200, Pablo Neira Ayuso wrote:
> > > > If user specifies a too long object name, bail out.
> > > 
> > > Shouldn't this be done in eval phase or so? As-is, this patch introduces
> > > a standard syntax-specific limitation people may circumvent using JSON,
> > > no?
> > 
> > I can do it from eval phase. I will have to add more eval functions
> > though, because eval is not always called from for every command.
> 
> All I'm saying is we shouldn't divert in between the two parsers. Why is
> limiting the max name length required, BTW?

Right, this should be handled for the json parser too, sending v2.