Re: [PATCH net-next 5/6] netlink: add mask validation

From: Johannes Berg <johannes@sipsolutions.net>
To: Jakub Kicinski <kuba@kernel.org>
Cc: Michal Kubecek <mkubecek@suse.cz>,
	davem@davemloft.net, netdev@vger.kernel.org, kernel-team@fb.com,
	jiri@resnulli.us, andrew@lunn.ch, dsahern@gmail.com,
	pablo@netfilter.org
Subject: Re: [PATCH net-next 5/6] netlink: add mask validation
Date: Tue, 06 Oct 2020 08:37:01 +0200	[thread overview]
Message-ID: <3418a5af0030a7d4aa447fd8d6ef75b0a6cb3259.camel@sipsolutions.net> (raw)
In-Reply-To: <20201005152110.42b8e71e@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com>

On Mon, 2020-10-05 at 15:21 -0700, Jakub Kicinski wrote:

> > > Nice, easy & useful, maybe I'll code it up tomorrow.  
> > 
> > OK I thought about it a bit more and looked at the code, and it's not
> > actually possible to do easily right now, because we can't actually
> > point to the bad attribute from the general lib/nlattr.c code ...
> > 
> > Why? Because we don't know right now, e.g. for nla_validate(), where in
> > the message we started validation, i.e. the offset of the "head" inside
> > the particular message.
> > 
> > For nlmsg_parse() and friends that's a bit easier, but it needs more
> > rejiggering than I'm willing to do tonight ;)
> 
> I thought we'd record the const struct nla_policy *tp for the failing
> attr in struct netlink_ext_ack and output based on that.

We could, but it's a bit useless if you know "which" attribute caused
the issue, but you don't know where it was in the message? That way you
wouldn't know the nesting level etc.

I mean, we actually have that problem today - the generic lib/nlattr.c
policy violation doesn't tell you where exactly the problem occurred, so
it'd be good to fix that regardless.

johannes