* [PATCH] nftables: validate port number in inet_service_type_parse
@ 2013-08-15 17:19 Phil Oester
2013-08-17 10:29 ` Pablo Neira Ayuso
0 siblings, 1 reply; 2+ messages in thread
From: Phil Oester @ 2013-08-15 17:19 UTC (permalink / raw)
To: netfilter-devel; +Cc: pablo
[-- Attachment #1: Type: text/plain, Size: 522 bytes --]
At present, nft accepts out of range port values such as in this example:
nft add rule ip filter input tcp dport 123456 accept
Attached patch adds checks for both integer overflow and 16 bit overflow,
and avoids getaddrinfo call in the (common) case of digit input. Example
above now produces this output:
<cmdline>:1:36-41: Error: Service out of range
add rule ip filter input tcp dport 123456 accept
^^^^^^
Phil
Signed-off-by: Phil Oester <kernel@linuxace.com>
[-- Attachment #2: patch-nft-inet_service_type_parse --]
[-- Type: text/plain, Size: 1361 bytes --]
diff --git a/src/datatype.c b/src/datatype.c
index 55368ee..be32851 100644
--- a/src/datatype.c
+++ b/src/datatype.c
@@ -11,6 +11,7 @@
#include <stdlib.h>
#include <string.h>
#include <inttypes.h>
+#include <errno.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <linux/types.h>
@@ -500,18 +501,30 @@ static struct error_record *inet_service_type_parse(const struct expr *sym,
{
struct addrinfo *ai;
uint16_t port;
+ uintmax_t i;
int err;
+ char *end;
+
+ errno = 0;
+ i = strtoumax(sym->identifier, &end, 0);
+ if (sym->identifier != end && *end == '\0') {
+ if (errno == ERANGE || i > UINT16_MAX)
+ return error(&sym->location, "Service out of range");
+
+ port = i;
+ } else {
+ err = getaddrinfo(NULL, sym->identifier, NULL, &ai);
+ if (err != 0)
+ return error(&sym->location, "Could not resolve service: %s",
+ gai_strerror(err));
+
+ port = ((struct sockaddr_in *)ai->ai_addr)->sin_port;
+ freeaddrinfo(ai);
+ }
- err = getaddrinfo(NULL, sym->identifier, NULL, &ai);
- if (err != 0)
- return error(&sym->location, "Could not resolve service: %s",
- gai_strerror(err));
-
- port = ((struct sockaddr_in *)ai->ai_addr)->sin_port;
*res = constant_expr_alloc(&sym->location, &inet_service_type,
BYTEORDER_BIG_ENDIAN,
sizeof(port) * BITS_PER_BYTE, &port);
- freeaddrinfo(ai);
return NULL;
}
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] nftables: validate port number in inet_service_type_parse
2013-08-15 17:19 [PATCH] nftables: validate port number in inet_service_type_parse Phil Oester
@ 2013-08-17 10:29 ` Pablo Neira Ayuso
0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2013-08-17 10:29 UTC (permalink / raw)
To: Phil Oester; +Cc: netfilter-devel
On Thu, Aug 15, 2013 at 10:19:11AM -0700, Phil Oester wrote:
> At present, nft accepts out of range port values such as in this example:
>
> nft add rule ip filter input tcp dport 123456 accept
>
> Attached patch adds checks for both integer overflow and 16 bit overflow,
> and avoids getaddrinfo call in the (common) case of digit input. Example
> above now produces this output:
>
> <cmdline>:1:36-41: Error: Service out of range
> add rule ip filter input tcp dport 123456 accept
> ^^^^^^
Applied, thanks Phil.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-08-17 10:29 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-08-15 17:19 [PATCH] nftables: validate port number in inet_service_type_parse Phil Oester
2013-08-17 10:29 ` Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.