Re: [libnftnl PATCH] src: Fix nftnl_assert() on data_len

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Phil Sutter <phil@nwl.cc>, netfilter-devel@vger.kernel.org
Subject: Re: [libnftnl PATCH] src: Fix nftnl_assert() on data_len
Date: Sat, 15 Feb 2020 14:17:13 +0100
Message-ID: <20200215131713.5gwn4ayk2udjff33@salvia> (raw)
In-Reply-To: <20200215004311.GS20005@orbyte.nwl.cc>


[-- Attachment #1: Type: text/plain, Size: 2029 bytes --]

On Sat, Feb 15, 2020 at 01:43:11AM +0100, Phil Sutter wrote:
> Hi Pablo,
> 
> On Fri, Feb 14, 2020 at 06:42:00PM +0100, Pablo Neira Ayuso wrote:
> > On Fri, Feb 14, 2020 at 06:34:50PM +0100, Phil Sutter wrote:
> > > On Fri, Feb 14, 2020 at 06:32:47PM +0100, Pablo Neira Ayuso wrote:
> > > > On Fri, Feb 14, 2020 at 06:24:17PM +0100, Phil Sutter wrote:
> > > > > Typical idiom for *_get_u*() getters is to call *_get_data() and make
> > > > > sure data_len matches what each of them is returning. Yet they shouldn't
> > > > > trust *_get_data() to write into passed pointer to data_len since for
> > > > > chains and NFTNL_CHAIN_DEVICES attribute, it does not. Make sure these
> > > > > assert() calls trigger in those cases.
> > > > 
> > > > The intention to catch for unset attributes through the assertion,
> > > > right?
> > > 
> > > No, this is about making sure that no wrong getter is called, e.g.
> > > nftnl_chain_get_u64() with e.g. NFTNL_CHAIN_HOOKNUM attribute which is
> > > only 32bits.
> > 
> > I think it will also catch the case I'm asking. If attribute is unset,
> > then nftnl_chain_get_data() returns NULL and the assertion checks
> > data_len, which has not been properly initialized.
> 
> With nftnl_assert() being (shortened):
> 
> | #define nftnl_assert(val, attr, expr) \
> |  ((!val || expr) ? \
> |  (void)0 : __nftnl_assert_fail(attr, __FILE__, __LINE__))
> 
> Check for 'expr' (which is passed as 'data_len == sizeof(<something>)')
> will only happen if 'val' is not NULL. Callers then return like so:
> 
> | return val ? *val : 0;
> 
> This means that if you pass an unset attribute to the getter, it will
> simply return 0.

Thanks for explaining, Phil. If the problem is just
NFTNL_CHAIN_DEVICES and NFTNL_FLOWTABLE_DEVICES, probably this is just
fine? So zero data-length is reversed for arrays and update
nftnl_assert() to skip data_len == 0, ie.

> | #define nftnl_assert(val, attr, expr) \
> |  ((!val || data_len == 0 || expr) ? \
> |  (void)0 : __nftnl_assert_fail(attr, __FILE__, __LINE__))

[-- Attachment #2: x.patch --]
[-- Type: text/x-diff, Size: 1261 bytes --]

diff --git a/include/utils.h b/include/utils.h
index 8af5a8e973fa..53999c982c56 100644
--- a/include/utils.h
+++ b/include/utils.h
@@ -30,7 +30,7 @@ void __noreturn __abi_breakage(const char *file, int line, const char *reason);
 void __nftnl_assert_fail(uint16_t attr, const char *filename, int line);
 
 #define nftnl_assert(val, attr, expr)			\
-  ((!val || expr)					\
+  ((!val || data_len == 0 || expr)			\
    ? (void)0						\
    : __nftnl_assert_fail(attr, __FILE__, __LINE__))
 
diff --git a/src/chain.c b/src/chain.c
index b4066e4d4e88..94a9e43a1754 100644
--- a/src/chain.c
+++ b/src/chain.c
@@ -364,6 +364,7 @@ const void *nftnl_chain_get_data(const struct nftnl_chain *c, uint16_t attr,
 		*data_len = strlen(c->dev) + 1;
 		return c->dev;
 	case NFTNL_CHAIN_DEVICES:
+		*data_len = 0;
 		return &c->dev_array[0];
 	}
 	return NULL;
diff --git a/src/flowtable.c b/src/flowtable.c
index 1e235d0ba50f..635322d7fa56 100644
--- a/src/flowtable.c
+++ b/src/flowtable.c
@@ -230,6 +230,7 @@ const void *nftnl_flowtable_get_data(const struct nftnl_flowtable *c,
 		*data_len = sizeof(int32_t);
 		return &c->family;
 	case NFTNL_FLOWTABLE_DEVICES:
+		*data_len = 0;
 		return &c->dev_array[0];
 	case NFTNL_FLOWTABLE_SIZE:
 		*data_len = sizeof(int32_t);
