linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] netfilter: initialize 'ret' variable
@ 2022-12-02  7:03 Li Qiong
  2022-12-02  7:13 ` Al Viro
                   ` (2 more replies)
  0 siblings, 3 replies; 8+ messages in thread
From: Li Qiong @ 2022-12-02  7:03 UTC (permalink / raw)
  To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal,
	David S . Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni
  Cc: netdev, linux-kernel, netfilter-devel, kernel-janitors, coreteam,
	Yu Zhe, Li Qiong

The 'ret' should need to be initialized to 0, in case
return a uninitialized value.

Signed-off-by: Li Qiong <liqiong@nfschina.com>
---
 net/netfilter/nf_flow_table_ip.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
index b350fe9d00b0..225ff865d609 100644
--- a/net/netfilter/nf_flow_table_ip.c
+++ b/net/netfilter/nf_flow_table_ip.c
@@ -351,7 +351,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
 	struct rtable *rt;
 	struct iphdr *iph;
 	__be32 nexthop;
-	int ret;
+	int ret = 0;
 
 	if (skb->protocol != htons(ETH_P_IP) &&
 	    !nf_flow_skb_encap_protocol(skb, htons(ETH_P_IP), &offset))
@@ -613,7 +613,7 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
 	u32 hdrsize, offset = 0;
 	struct ipv6hdr *ip6h;
 	struct rt6_info *rt;
-	int ret;
+	int ret = 0;
 
 	if (skb->protocol != htons(ETH_P_IPV6) &&
 	    !nf_flow_skb_encap_protocol(skb, htons(ETH_P_IPV6), &offset))
-- 
2.11.0


^ permalink raw reply related	[flat|nested] 8+ messages in thread
* Re: [PATCH] netfilter: initialize 'ret' variable
  2022-12-02  7:03 [PATCH] netfilter: initialize 'ret' variable Li Qiong
@ 2022-12-02  7:13 ` Al Viro
  2022-12-02  8:06   ` liqiong
  2022-12-02  9:18   ` Jan Engelhardt
  2022-12-05 14:26 ` Pablo Neira Ayuso
  2022-12-06  7:44 ` [PATCH v2] netfilter: add a 'default' case to 'switch (tuplehash->tuple.xmit_type)' Li Qiong
  2 siblings, 2 replies; 8+ messages in thread
From: Al Viro @ 2022-12-02  7:13 UTC (permalink / raw)
  To: Li Qiong
  Cc: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal,
	David S . Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	netdev, linux-kernel, netfilter-devel, kernel-janitors, coreteam,
	Yu Zhe

On Fri, Dec 02, 2022 at 03:03:31PM +0800, Li Qiong wrote:
> The 'ret' should need to be initialized to 0, in case
> return a uninitialized value.

Why is 0 the right value?  And which case would it be?
We clearly need to know that to figure out which return
value would be correct for it...

^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: [PATCH] netfilter: initialize 'ret' variable
  2022-12-02  7:13 ` Al Viro
@ 2022-12-02  8:06   ` liqiong
  2022-12-02  9:18   ` Jan Engelhardt
  1 sibling, 0 replies; 8+ messages in thread
From: liqiong @ 2022-12-02  8:06 UTC (permalink / raw)
  To: Al Viro
  Cc: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal,
	David S . Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	netdev, linux-kernel, netfilter-devel, kernel-janitors, coreteam,
	Yu Zhe


> On Fri, Dec 02, 2022 at 03:03:31PM +0800, Li Qiong wrote:
>> The 'ret' should need to be initialized to 0, in case
>> return a uninitialized value.
> Why is 0 the right value?  And which case would it be?
> We clearly need to know that to figure out which return
> value would be correct for it...
Hi, 
here is a case:
for (i = 0; i < e->num_hook_entries; i++) {
    ret = e->hooks[i].hook(e->hooks[i].priv, skb, state);
    if (ret != NF_ACCEPT)
        return ret;
    ....
}
I am not sure if  0 (NF_DROP) is the best value, but It's better to  initialize  a value.


^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: [PATCH] netfilter: initialize 'ret' variable
  2022-12-02  7:13 ` Al Viro
  2022-12-02  8:06   ` liqiong
@ 2022-12-02  9:18   ` Jan Engelhardt
  1 sibling, 0 replies; 8+ messages in thread
From: Jan Engelhardt @ 2022-12-02  9:18 UTC (permalink / raw)
  To: Al Viro
  Cc: Li Qiong, Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal,
	David S . Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	netdev, linux-kernel, netfilter-devel, kernel-janitors, coreteam,
	Yu Zhe

On Friday 2022-12-02 08:13, Al Viro wrote:

>On Fri, Dec 02, 2022 at 03:03:31PM +0800, Li Qiong wrote:
>> The 'ret' should need to be initialized to 0, in case
>> return a uninitialized value.
>
>Why is 0 the right value?  And which case would it be?
>We clearly need to know that to figure out which return
>value would be correct for it...

Judging from the error-handling branches,
it should be ret = NF_ACCEPT.


^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: [PATCH] netfilter: initialize 'ret' variable
  2022-12-02  7:03 [PATCH] netfilter: initialize 'ret' variable Li Qiong
  2022-12-02  7:13 ` Al Viro
@ 2022-12-05 14:26 ` Pablo Neira Ayuso
  2022-12-06  0:29   ` liqiong
  2022-12-06  7:44 ` [PATCH v2] netfilter: add a 'default' case to 'switch (tuplehash->tuple.xmit_type)' Li Qiong
  2 siblings, 1 reply; 8+ messages in thread
From: Pablo Neira Ayuso @ 2022-12-05 14:26 UTC (permalink / raw)
  To: Li Qiong
  Cc: Jozsef Kadlecsik, Florian Westphal, David S . Miller,
	Eric Dumazet, Jakub Kicinski, Paolo Abeni, netdev, linux-kernel,
	netfilter-devel, kernel-janitors, coreteam, Yu Zhe

On Fri, Dec 02, 2022 at 03:03:31PM +0800, Li Qiong wrote:
> The 'ret' should need to be initialized to 0, in case
> return a uninitialized value.
> 
> Signed-off-by: Li Qiong <liqiong@nfschina.com>
> ---
>  net/netfilter/nf_flow_table_ip.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
> index b350fe9d00b0..225ff865d609 100644
> --- a/net/netfilter/nf_flow_table_ip.c
> +++ b/net/netfilter/nf_flow_table_ip.c
> @@ -351,7 +351,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
>  	struct rtable *rt;
>  	struct iphdr *iph;
>  	__be32 nexthop;
> -	int ret;
> +	int ret = 0;
>  
>  	if (skb->protocol != htons(ETH_P_IP) &&
>  	    !nf_flow_skb_encap_protocol(skb, htons(ETH_P_IP), &offset))
> @@ -613,7 +613,7 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
>  	u32 hdrsize, offset = 0;
>  	struct ipv6hdr *ip6h;
>  	struct rt6_info *rt;
> -	int ret;
> +	int ret = 0;
>  
>  	if (skb->protocol != htons(ETH_P_IPV6) &&
>  	    !nf_flow_skb_encap_protocol(skb, htons(ETH_P_IPV6), &offset))

This can only happen with tuplehash->tuple.xmit_type:

- FLOW_OFFLOAD_XMIT_UNSPEC
- FLOW_OFFLOAD_XMIT_TC

but this should not ever happen in that path.

Instead, I'd suggest to add a 'default' case to the switch, set ret to
NF_DROP and WARN_ON_ONCE(1).

^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: [PATCH] netfilter: initialize 'ret' variable
  2022-12-05 14:26 ` Pablo Neira Ayuso
@ 2022-12-06  0:29   ` liqiong
  0 siblings, 0 replies; 8+ messages in thread
From: liqiong @ 2022-12-06  0:29 UTC (permalink / raw)
  To: Pablo Neira Ayuso
  Cc: Jozsef Kadlecsik, Florian Westphal, David S . Miller,
	Eric Dumazet, Jakub Kicinski, Paolo Abeni, netdev, linux-kernel,
	netfilter-devel, kernel-janitors, coreteam, Yu Zhe



在 2022年12月05日 22:26, Pablo Neira Ayuso 写道:
> On Fri, Dec 02, 2022 at 03:03:31PM +0800, Li Qiong wrote:
>> The 'ret' should need to be initialized to 0, in case
>> return a uninitialized value.
>>
>> Signed-off-by: Li Qiong <liqiong@nfschina.com>
>> ---
>>  net/netfilter/nf_flow_table_ip.c | 4 ++--
>>  1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
>> index b350fe9d00b0..225ff865d609 100644
>> --- a/net/netfilter/nf_flow_table_ip.c
>> +++ b/net/netfilter/nf_flow_table_ip.c
>> @@ -351,7 +351,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
>>  	struct rtable *rt;
>>  	struct iphdr *iph;
>>  	__be32 nexthop;
>> -	int ret;
>> +	int ret = 0;
>>  
>>  	if (skb->protocol != htons(ETH_P_IP) &&
>>  	    !nf_flow_skb_encap_protocol(skb, htons(ETH_P_IP), &offset))
>> @@ -613,7 +613,7 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
>>  	u32 hdrsize, offset = 0;
>>  	struct ipv6hdr *ip6h;
>>  	struct rt6_info *rt;
>> -	int ret;
>> +	int ret = 0;
>>  
>>  	if (skb->protocol != htons(ETH_P_IPV6) &&
>>  	    !nf_flow_skb_encap_protocol(skb, htons(ETH_P_IPV6), &offset))
> This can only happen with tuplehash->tuple.xmit_type:
>
> - FLOW_OFFLOAD_XMIT_UNSPEC
> - FLOW_OFFLOAD_XMIT_TC
>
> but this should not ever happen in that path.
>
> Instead, I'd suggest to add a 'default' case to the switch, set ret to
> NF_DROP and WARN_ON_ONCE(1).
Thanks,  I will send a v2 patch.



^ permalink raw reply	[flat|nested] 8+ messages in thread
* [PATCH v2] netfilter: add a 'default' case to 'switch (tuplehash->tuple.xmit_type)'
  2022-12-02  7:03 [PATCH] netfilter: initialize 'ret' variable Li Qiong
  2022-12-02  7:13 ` Al Viro
  2022-12-05 14:26 ` Pablo Neira Ayuso
@ 2022-12-06  7:44 ` Li Qiong
  2022-12-08 21:12   ` Pablo Neira Ayuso
  2 siblings, 1 reply; 8+ messages in thread
From: Li Qiong @ 2022-12-06  7:44 UTC (permalink / raw)
  To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal,
	David S . Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni
  Cc: netdev, linux-kernel, netfilter-devel, kernel-janitors, coreteam,
	Yu Zhe, Li Qiong

Add a 'default' case in case return a uninitialized value of ret.

Signed-off-by: Li Qiong <liqiong@nfschina.com>
---
v2: Add 'default' case instead of initializing 'ret'.
---
 net/netfilter/nf_flow_table_ip.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
index b350fe9d00b0..19efba1e51ef 100644
--- a/net/netfilter/nf_flow_table_ip.c
+++ b/net/netfilter/nf_flow_table_ip.c
@@ -421,6 +421,10 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
 		if (ret == NF_DROP)
 			flow_offload_teardown(flow);
 		break;
+	default:
+		WARN_ON_ONCE(1);
+		ret = NF_DROP;
+		break;
 	}
 
 	return ret;
@@ -682,6 +686,10 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
 		if (ret == NF_DROP)
 			flow_offload_teardown(flow);
 		break;
+	default:
+		WARN_ON_ONCE(1);
+		ret = NF_DROP;
+		break;
 	}
 
 	return ret;
-- 
2.11.0


^ permalink raw reply related	[flat|nested] 8+ messages in thread
* Re: [PATCH v2] netfilter: add a 'default' case to 'switch (tuplehash->tuple.xmit_type)'
  2022-12-06  7:44 ` [PATCH v2] netfilter: add a 'default' case to 'switch (tuplehash->tuple.xmit_type)' Li Qiong
@ 2022-12-08 21:12   ` Pablo Neira Ayuso
  0 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2022-12-08 21:12 UTC (permalink / raw)
  To: Li Qiong
  Cc: Jozsef Kadlecsik, Florian Westphal, David S . Miller,
	Eric Dumazet, Jakub Kicinski, Paolo Abeni, netdev, linux-kernel,
	netfilter-devel, kernel-janitors, coreteam, Yu Zhe

On Tue, Dec 06, 2022 at 03:44:14PM +0800, Li Qiong wrote:
> Add a 'default' case in case return a uninitialized value of ret.

Applied, thanks.

^ permalink raw reply	[flat|nested] 8+ messages in thread
end of thread, other threads:[~2022-12-08 21:12 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-12-02  7:03 [PATCH] netfilter: initialize 'ret' variable Li Qiong
2022-12-02  7:13 ` Al Viro
2022-12-02  8:06   ` liqiong
2022-12-02  9:18   ` Jan Engelhardt
2022-12-05 14:26 ` Pablo Neira Ayuso
2022-12-06  0:29   ` liqiong
2022-12-06  7:44 ` [PATCH v2] netfilter: add a 'default' case to 'switch (tuplehash->tuple.xmit_type)' Li Qiong
2022-12-08 21:12   ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).