From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nftables 1/4] src: fix jumps on bigendian arches
Date: Tue, 13 Aug 2019 21:20:49 +0200 [thread overview]
Message-ID: <20190813192049.enr7yczyngth4s4o@salvia> (raw)
In-Reply-To: <20190813184409.10757-2-fw@strlen.de>
On Tue, Aug 13, 2019 at 08:44:06PM +0200, Florian Westphal wrote:
> table bla {
> chain foo { }
> chain bar { jump foo }
> }
> }
>
> Fails to restore on big-endian platforms:
> jump.nft:5:2-9: Error: Could not process rule: No such file or directory
> jump foo
>
> nft passes a 0-length name to the kernel.
>
> This is because when we export the value (the string), we provide
> the size of the destination buffer.
>
> In earlier versions, the parser allocated the name with the same
> fixed size and all was fine.
>
> After the fix, the export places the name in the wrong location
> in the destination buffer.
>
> This makes tests/shell/testcases/chains/0001jumps_0 work on s390x.
>
> Fixes: 142350f154c78 ("src: invalid read when importing chain name")
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
> src/datatype.c | 26 +++++++++++++++++---------
> src/netlink.c | 16 +++++++++++++---
> 2 files changed, 30 insertions(+), 12 deletions(-)
>
> diff --git a/src/datatype.c b/src/datatype.c
> index 28f726f4e84c..6908bc22d783 100644
> --- a/src/datatype.c
> +++ b/src/datatype.c
> @@ -244,10 +244,24 @@ const struct datatype invalid_type = {
> .print = invalid_type_print,
> };
>
> -static void verdict_type_print(const struct expr *expr, struct output_ctx *octx)
> +static void verdict_jump_chain_print(const char *what, const struct expr *e,
> + struct output_ctx *octx)
> {
> char chain[NFT_CHAIN_MAXNAMELEN];
Probably:
chat chain[NFT_CHAIN_MAXNAMELEN + 1] = {};
to ensure space for \0.
> + unsigned int len;
> +
> + memset(chain, 0, sizeof(chain));
remove this memset then.
> + len = e->len / BITS_PER_BYTE;
div_round_up() ?
> + if (len >= sizeof(chain))
> + len = sizeof(chain) - 1;
Probably BUG() here instead if e->len > NFT_CHAIN_MAXNAMELEN? This
should not happen.
> +
> + mpz_export_data(chain, e->value, BYTEORDER_HOST_ENDIAN, len);
> + nft_print(octx, "%s %s", what, chain);
> +}
> +
> +static void verdict_type_print(const struct expr *expr, struct output_ctx *octx)
> +{
> switch (expr->verdict) {
> case NFT_CONTINUE:
> nft_print(octx, "continue");
> @@ -257,10 +271,7 @@ static void verdict_type_print(const struct expr *expr, struct output_ctx *octx)
> break;
> case NFT_JUMP:
> if (expr->chain->etype == EXPR_VALUE) {
> - mpz_export_data(chain, expr->chain->value,
> - BYTEORDER_HOST_ENDIAN,
> - NFT_CHAIN_MAXNAMELEN);
> - nft_print(octx, "jump %s", chain);
> + verdict_jump_chain_print("jump", expr->chain, octx);
> } else {
> nft_print(octx, "jump ");
> expr_print(expr->chain, octx);
> @@ -268,10 +279,7 @@ static void verdict_type_print(const struct expr *expr, struct output_ctx *octx)
> break;
> case NFT_GOTO:
> if (expr->chain->etype == EXPR_VALUE) {
> - mpz_export_data(chain, expr->chain->value,
> - BYTEORDER_HOST_ENDIAN,
> - NFT_CHAIN_MAXNAMELEN);
> - nft_print(octx, "goto %s", chain);
> + verdict_jump_chain_print("goto", expr->chain, octx);
> } else {
> nft_print(octx, "goto ");
> expr_print(expr->chain, octx);
> diff --git a/src/netlink.c b/src/netlink.c
> index aeeb12eaca93..f8e1120447d9 100644
> --- a/src/netlink.c
> +++ b/src/netlink.c
> @@ -222,17 +222,27 @@ static void netlink_gen_verdict(const struct expr *expr,
> struct nft_data_linearize *data)
> {
> char chain[NFT_CHAIN_MAXNAMELEN];
...[NFT_CHAIN_MAXNAMELEN + 1] = {};
> + unsigned int len;
>
> data->verdict = expr->verdict;
>
> switch (expr->verdict) {
> case NFT_JUMP:
> case NFT_GOTO:
> + len = expr->chain->len / BITS_PER_BYTE;
div_round_up()
> +
> + if (!len)
> + BUG("chain length is 0");
> +
> + if (len > sizeof(chain))
> + BUG("chain is too large (%u, %u max)",
> + len, (unsigned int)sizeof(chain));
> +
> + memset(chain, 0, sizeof(chain));
> +
> mpz_export_data(chain, expr->chain->value,
> - BYTEORDER_HOST_ENDIAN,
> - NFT_CHAIN_MAXNAMELEN);
> + BYTEORDER_HOST_ENDIAN, len);
> snprintf(data->chain, NFT_CHAIN_MAXNAMELEN, "%s", chain);
> - data->chain[NFT_CHAIN_MAXNAMELEN-1] = '\0';
> break;
> }
> }
> --
> 2.21.0
>
next prev parent reply other threads:[~2019-08-13 19:20 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-13 18:44 [PATCH nftables 0/4] un-break nftables on big-endian arches Florian Westphal
2019-08-13 18:44 ` [PATCH nftables 1/4] src: fix jumps on bigendian arches Florian Westphal
2019-08-13 19:20 ` Pablo Neira Ayuso [this message]
2019-08-13 19:34 ` Florian Westphal
2019-08-13 19:35 ` Pablo Neira Ayuso
2019-08-13 18:44 ` [PATCH nftables 2/4] src: parser: fix parsing of chain priority and policy on bigendian Florian Westphal
2019-08-13 19:26 ` Pablo Neira Ayuso
2019-08-13 18:44 ` [PATCH nftables 3/4] src: mnl: fix setting rcvbuffer size Florian Westphal
2019-08-13 19:26 ` Pablo Neira Ayuso
2019-08-13 18:44 ` [PATCH nftables 4/4] src: mnl: retry when we hit -ENOBUFS Florian Westphal
2019-08-13 19:34 ` Pablo Neira Ayuso
2019-08-13 19:36 ` Florian Westphal
2019-08-13 19:39 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190813192049.enr7yczyngth4s4o@salvia \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).