[PATCH v2 2/3] netfilter: log: protect nf_log_register against double registering

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Marcelo Ricardo Leitner <mleitner@redhat.com>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH v2 2/3] netfilter: log: protect nf_log_register against double registering
Date: Fri, 24 Oct 2014 10:59:50 -0200	[thread overview]
Message-ID: <dad1a3c1e30a676f3d17244ec74acef4dd0c9ca9.1414155204.git.mleitner@redhat.com> (raw)
In-Reply-To: <12a99ae77aa9969692d847d8d2929deb13485e72.1414155204.git.mleitner@redhat.com>

Currently, despite the comment right before the function,
nf_log_register allows registering two loggers on with the same type and
end up overwriting the previous register.

Not a real issue today as current tree doesn't have two loggers for the
same type but it's better to get this protected.

Also make sure that all of its callers do error checking.

Signed-off-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
---

Notes:
    v1->v2:
     - make use of pr_fmt
     - added err1 error handling flow
     - based on nft_log_dereference()

 net/ipv4/netfilter/nf_log_arp.c  | 12 +++++++++++-
 net/ipv4/netfilter/nf_log_ipv4.c | 12 +++++++++++-
 net/ipv6/netfilter/nf_log_ipv6.c | 12 +++++++++++-
 net/netfilter/nf_log.c           | 11 ++++++++++-
 4 files changed, 43 insertions(+), 4 deletions(-)

diff --git a/net/ipv4/netfilter/nf_log_arp.c b/net/ipv4/netfilter/nf_log_arp.c
index ccfc78db12ee8acae68faf451f2cf6bc5597f2c1..0c8799a0c9e46df1bd414251c4d5661da024fae1 100644
--- a/net/ipv4/netfilter/nf_log_arp.c
+++ b/net/ipv4/netfilter/nf_log_arp.c
@@ -10,6 +10,7 @@
  * it under the terms of the GNU General Public License version 2 as
  * published by the Free Software Foundation.
  */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 
 #include <linux/module.h>
 #include <linux/spinlock.h>
@@ -130,8 +131,17 @@ static int __init nf_log_arp_init(void)
 	if (ret < 0)
 		return ret;
 
-	nf_log_register(NFPROTO_ARP, &nf_arp_logger);
+	ret = nf_log_register(NFPROTO_ARP, &nf_arp_logger);
+	if (ret < 0) {
+		pr_err("failed to register logger\n");
+		goto err1;
+	}
+
 	return 0;
+
+err1:
+	unregister_pernet_subsys(&nf_log_arp_net_ops);
+	return ret;
 }
 
 static void __exit nf_log_arp_exit(void)
diff --git a/net/ipv4/netfilter/nf_log_ipv4.c b/net/ipv4/netfilter/nf_log_ipv4.c
index 078bdca1b607a167e05e7cf1bdfedccdd5aca92a..75101980eeee197a4f8413bbd7d29f4fd9e4bb74 100644
--- a/net/ipv4/netfilter/nf_log_ipv4.c
+++ b/net/ipv4/netfilter/nf_log_ipv4.c
@@ -5,6 +5,7 @@
  * it under the terms of the GNU General Public License version 2 as
  * published by the Free Software Foundation.
  */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 
 #include <linux/module.h>
 #include <linux/spinlock.h>
@@ -366,8 +367,17 @@ static int __init nf_log_ipv4_init(void)
 	if (ret < 0)
 		return ret;
 
-	nf_log_register(NFPROTO_IPV4, &nf_ip_logger);
+	ret = nf_log_register(NFPROTO_IPV4, &nf_ip_logger);
+	if (ret < 0) {
+		pr_err("failed to register logger\n");
+		goto err1;
+	}
+
 	return 0;
+
+err1:
+	unregister_pernet_subsys(&nf_log_ipv4_net_ops);
+	return ret;
 }
 
 static void __exit nf_log_ipv4_exit(void)
diff --git a/net/ipv6/netfilter/nf_log_ipv6.c b/net/ipv6/netfilter/nf_log_ipv6.c
index 7b17a0be93e7eccb2a26cd3294713d0f1112158d..7fc34d1681a195ff071406811771b8327337db22 100644
--- a/net/ipv6/netfilter/nf_log_ipv6.c
+++ b/net/ipv6/netfilter/nf_log_ipv6.c
@@ -5,6 +5,7 @@
  * it under the terms of the GNU General Public License version 2 as
  * published by the Free Software Foundation.
  */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 
 #include <linux/module.h>
 #include <linux/spinlock.h>
@@ -398,8 +399,17 @@ static int __init nf_log_ipv6_init(void)
 	if (ret < 0)
 		return ret;
 
-	nf_log_register(NFPROTO_IPV6, &nf_ip6_logger);
+	ret = nf_log_register(NFPROTO_IPV6, &nf_ip6_logger);
+	if (ret < 0) {
+		pr_err("failed to register logger\n");
+		goto err1;
+	}
+
 	return 0;
+
+err1:
+	unregister_pernet_subsys(&nf_log_ipv6_net_ops);
+	return ret;
 }
 
 static void __exit nf_log_ipv6_exit(void)
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index f1409d95f810c689ec70755eb8a85125d291ad47..e7c7439f48db590eba8f7f2eac61fafd9e571389 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -82,10 +82,19 @@ int nf_log_register(u_int8_t pf, struct nf_logger *logger)
 	mutex_lock(&nf_log_mutex);
 
 	if (pf == NFPROTO_UNSPEC) {
+		for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++) {
+			if (nft_log_dereference(loggers[i][logger->type])) {
+				mutex_unlock(&nf_log_mutex);
+				return -EEXIST;
+			}
+		}
 		for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++)
 			rcu_assign_pointer(loggers[i][logger->type], logger);
 	} else {
-		/* register at end of list to honor first register win */
+		if (nft_log_dereference(loggers[pf][logger->type])) {
+			mutex_unlock(&nf_log_mutex);
+			return -EEXIST;
+		}
 		rcu_assign_pointer(loggers[pf][logger->type], logger);
 	}
 
-- 
1.9.3

next prev parent reply	other threads:[~2014-10-24 12:59 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-10-24 12:59 [PATCH 1/3] Introduce nft_log_dereference() macro Marcelo Ricardo Leitner
2014-10-24 12:59 ` Marcelo Ricardo Leitner [this message]
2014-10-27 22:09   ` [PATCH v2 2/3] netfilter: log: protect nf_log_register against double registering Pablo Neira Ayuso
2014-10-28 12:51     ` Marcelo Ricardo Leitner
2014-10-24 12:59 ` [PATCH 3/3] Make use of pr_fmt where applicable Marcelo Ricardo Leitner
2014-10-24 18:11   ` Marcelo Ricardo Leitner
2014-10-24 18:27     ` Marcelo Ricardo Leitner
     [not found]   ` <12a99ae77aa9969692d847d8d2929deb13485e72.1414175014.git.mleitner@redhat.com>
2014-10-24 18:46     ` [PATCH v2 " Marcelo Ricardo Leitner
2014-10-27 22:23       ` Pablo Neira Ayuso
2014-10-28 12:59         ` Marcelo Ricardo Leitner
2014-10-28 19:56           ` Marcelo Ricardo Leitner
2014-10-28 20:12             ` Pablo Neira Ayuso
2014-10-28 20:16               ` Marcelo Ricardo Leitner
2014-10-27 22:03 ` [PATCH 1/3] Introduce nft_log_dereference() macro Pablo Neira Ayuso
2014-10-28 12:47   ` Marcelo Ricardo Leitner

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:ccfc78db12ee8acae68faf451f2cf6bc5597f2c
dfblob:0c8799a0c9e46df1bd414251c4d5661da024fae
dfblob:078bdca1b607a167e05e7cf1bdfedccdd5aca92
dfblob:75101980eeee197a4f8413bbd7d29f4fd9e4bb7
dfblob:7b17a0be93e7eccb2a26cd3294713d0f1112158
dfblob:7fc34d1681a195ff071406811771b8327337db2
dfblob:f1409d95f810c689ec70755eb8a85125d291ad4
dfblob:e7c7439f48db590eba8f7f2eac61fafd9e57138 )
 OR (
bs:"[PATCH v2 2/3] netfilter: log: protect nf_log_register against double registering" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=dad1a3c1e30a676f3d17244ec74acef4dd0c9ca9.1414155204.git.mleitner@redhat.com \
    --to=mleitner@redhat.com \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).