netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 06/17] netfilter: log: protect nf_log_register against double registering
Date: Mon, 24 Nov 2014 14:27:43 +0100	[thread overview]
Message-ID: <1416835674-11871-7-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1416835674-11871-1-git-send-email-pablo@netfilter.org>

From: Marcelo Leitner <mleitner@redhat.com>

Currently, despite the comment right before the function,
nf_log_register allows registering two loggers on with the same type and
end up overwriting the previous register.

Not a real issue today as current tree doesn't have two loggers for the
same type but it's better to get this protected.

Also make sure that all of its callers do error checking.

Signed-off-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/ipv4/netfilter/nf_log_arp.c  |   12 +++++++++++-
 net/ipv4/netfilter/nf_log_ipv4.c |   12 +++++++++++-
 net/ipv6/netfilter/nf_log_ipv6.c |   12 +++++++++++-
 net/netfilter/nf_log.c           |   16 +++++++++++++---
 4 files changed, 46 insertions(+), 6 deletions(-)

diff --git a/net/ipv4/netfilter/nf_log_arp.c b/net/ipv4/netfilter/nf_log_arp.c
index ccfc78d..0c8799a 100644
--- a/net/ipv4/netfilter/nf_log_arp.c
+++ b/net/ipv4/netfilter/nf_log_arp.c
@@ -10,6 +10,7 @@
  * it under the terms of the GNU General Public License version 2 as
  * published by the Free Software Foundation.
  */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 
 #include <linux/module.h>
 #include <linux/spinlock.h>
@@ -130,8 +131,17 @@ static int __init nf_log_arp_init(void)
 	if (ret < 0)
 		return ret;
 
-	nf_log_register(NFPROTO_ARP, &nf_arp_logger);
+	ret = nf_log_register(NFPROTO_ARP, &nf_arp_logger);
+	if (ret < 0) {
+		pr_err("failed to register logger\n");
+		goto err1;
+	}
+
 	return 0;
+
+err1:
+	unregister_pernet_subsys(&nf_log_arp_net_ops);
+	return ret;
 }
 
 static void __exit nf_log_arp_exit(void)
diff --git a/net/ipv4/netfilter/nf_log_ipv4.c b/net/ipv4/netfilter/nf_log_ipv4.c
index 078bdca..7510198 100644
--- a/net/ipv4/netfilter/nf_log_ipv4.c
+++ b/net/ipv4/netfilter/nf_log_ipv4.c
@@ -5,6 +5,7 @@
  * it under the terms of the GNU General Public License version 2 as
  * published by the Free Software Foundation.
  */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 
 #include <linux/module.h>
 #include <linux/spinlock.h>
@@ -366,8 +367,17 @@ static int __init nf_log_ipv4_init(void)
 	if (ret < 0)
 		return ret;
 
-	nf_log_register(NFPROTO_IPV4, &nf_ip_logger);
+	ret = nf_log_register(NFPROTO_IPV4, &nf_ip_logger);
+	if (ret < 0) {
+		pr_err("failed to register logger\n");
+		goto err1;
+	}
+
 	return 0;
+
+err1:
+	unregister_pernet_subsys(&nf_log_ipv4_net_ops);
+	return ret;
 }
 
 static void __exit nf_log_ipv4_exit(void)
diff --git a/net/ipv6/netfilter/nf_log_ipv6.c b/net/ipv6/netfilter/nf_log_ipv6.c
index 7b17a0b..7fc34d1 100644
--- a/net/ipv6/netfilter/nf_log_ipv6.c
+++ b/net/ipv6/netfilter/nf_log_ipv6.c
@@ -5,6 +5,7 @@
  * it under the terms of the GNU General Public License version 2 as
  * published by the Free Software Foundation.
  */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 
 #include <linux/module.h>
 #include <linux/spinlock.h>
@@ -398,8 +399,17 @@ static int __init nf_log_ipv6_init(void)
 	if (ret < 0)
 		return ret;
 
-	nf_log_register(NFPROTO_IPV6, &nf_ip6_logger);
+	ret = nf_log_register(NFPROTO_IPV6, &nf_ip6_logger);
+	if (ret < 0) {
+		pr_err("failed to register logger\n");
+		goto err1;
+	}
+
 	return 0;
+
+err1:
+	unregister_pernet_subsys(&nf_log_ipv6_net_ops);
+	return ret;
 }
 
 static void __exit nf_log_ipv6_exit(void)
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index 5eaf047..9562e39 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -75,6 +75,7 @@ EXPORT_SYMBOL(nf_log_unset);
 int nf_log_register(u_int8_t pf, struct nf_logger *logger)
 {
 	int i;
+	int ret = 0;
 
 	if (pf >= ARRAY_SIZE(init_net.nf.nf_loggers))
 		return -EINVAL;
@@ -82,16 +83,25 @@ int nf_log_register(u_int8_t pf, struct nf_logger *logger)
 	mutex_lock(&nf_log_mutex);
 
 	if (pf == NFPROTO_UNSPEC) {
+		for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++) {
+			if (rcu_access_pointer(loggers[i][logger->type])) {
+				ret = -EEXIST;
+				goto unlock;
+			}
+		}
 		for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++)
 			rcu_assign_pointer(loggers[i][logger->type], logger);
 	} else {
-		/* register at end of list to honor first register win */
+		if (rcu_access_pointer(loggers[pf][logger->type])) {
+			ret = -EEXIST;
+			goto unlock;
+		}
 		rcu_assign_pointer(loggers[pf][logger->type], logger);
 	}
 
+unlock:
 	mutex_unlock(&nf_log_mutex);
-
-	return 0;
+	return ret;
 }
 EXPORT_SYMBOL(nf_log_register);
 
-- 
1.7.10.4

  parent reply	other threads:[~2014-11-24 13:27 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-11-24 13:27 [PATCH 00/17] netfilter/ipvs updates for net-next Pablo Neira Ayuso
2014-11-24 13:27 ` [PATCH 01/17] netfilter: refactor NAT redirect IPv4 to use it from nf_tables Pablo Neira Ayuso
2014-11-24 13:27 ` [PATCH 02/17] netfilter: refactor NAT redirect IPv6 code " Pablo Neira Ayuso
2014-11-24 13:27 ` [PATCH 03/17] netfilter: nf_tables: add new expression nft_redir Pablo Neira Ayuso
2014-11-24 13:27 ` [PATCH 04/17] ipvs: remove unnecessary assignment in __ip_vs_get_out_rt Pablo Neira Ayuso
2014-11-24 13:27 ` [PATCH 05/17] netfilter: nf_log: Introduce nft_log_dereference() macro Pablo Neira Ayuso
2014-11-24 13:27 ` Pablo Neira Ayuso [this message]
2014-11-24 13:27 ` [PATCH 07/17] netfilter: fix spelling errors Pablo Neira Ayuso
2014-11-24 13:27 ` [PATCH 08/17] netfilter: nf_log: fix sparse warning in nf_logger_find_get() Pablo Neira Ayuso
2014-11-24 13:27 ` [PATCH 09/17] netfilter: nft_meta: add cgroup support Pablo Neira Ayuso
2014-11-24 13:27 ` [PATCH 10/17] netfilter: fix unmet dependencies in NETFILTER_XT_TARGET_REDIRECT Pablo Neira Ayuso
2014-11-24 13:27 ` [PATCH 11/17] netfilter: nft_redir: fix sparse warnings Pablo Neira Ayuso
2014-11-24 13:27 ` [PATCH 12/17] netfilter: fix various " Pablo Neira Ayuso
2014-11-24 13:27 ` [PATCH 13/17] netfilter: nfnetlink_log: remove unnecessary error messages Pablo Neira Ayuso
2014-11-24 13:27 ` [PATCH 14/17] netfilter: xt_connlimit: honor conntrack zone if available Pablo Neira Ayuso
2014-11-24 13:27 ` [PATCH 15/17] netfilter: nf_conntrack_h323: lookup route from proper net namespace Pablo Neira Ayuso
2014-11-24 13:27 ` [PATCH 16/17] netfilter: Deletion of unnecessary checks before two function calls Pablo Neira Ayuso
2014-11-24 13:27 ` [PATCH 17/17] netfilter: nfnetlink_log: Make use of pr_fmt where applicable Pablo Neira Ayuso
2014-11-24 21:01 ` [PATCH 00/17] netfilter/ipvs updates for net-next David Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1416835674-11871-7-git-send-email-pablo@netfilter.org \
    --to=pablo@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).