diff options
| author | Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 2019-11-01 12:13:18 -0400 |
|---|---|---|
| committer | Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 2019-11-04 14:46:13 -0500 |
| commit | 1289975643f4cdecb071dc641059a47679fd170f (patch) | |
| tree | eebba08a8ada65fd8a6e6978cb29e8210584a2ff /net | |
| parent | 97664bc2c77e2b65cdedddcae2643fc93291d958 (diff) | |
netfilter: ipset: Fix nla_policies to fully support NL_VALIDATE_STRICT
Since v5.2 (commit "netlink: re-add parse/validate functions in strict
mode") NL_VALIDATE_STRICT is enabled. Fix the ipset nla_policies which did
not support strict mode and convert from deprecated parsings to verified ones.
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/netfilter/ipset/ip_set_core.c | 41 | ||||
| -rw-r--r-- | net/netfilter/ipset/ip_set_hash_net.c | 1 | ||||
| -rw-r--r-- | net/netfilter/ipset/ip_set_hash_netnet.c | 1 |
3 files changed, 30 insertions, 13 deletions
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c index e7288eab7512..d73d1828216a 100644 --- a/net/netfilter/ipset/ip_set_core.c +++ b/net/netfilter/ipset/ip_set_core.c | |||
| @@ -296,7 +296,8 @@ ip_set_get_ipaddr4(struct nlattr *nla, __be32 *ipaddr) | |||
| 296 | 296 | ||
| 297 | if (unlikely(!flag_nested(nla))) | 297 | if (unlikely(!flag_nested(nla))) |
| 298 | return -IPSET_ERR_PROTOCOL; | 298 | return -IPSET_ERR_PROTOCOL; |
| 299 | if (nla_parse_nested_deprecated(tb, IPSET_ATTR_IPADDR_MAX, nla, ipaddr_policy, NULL)) | 299 | if (nla_parse_nested(tb, IPSET_ATTR_IPADDR_MAX, nla, |
| 300 | ipaddr_policy, NULL)) | ||
| 300 | return -IPSET_ERR_PROTOCOL; | 301 | return -IPSET_ERR_PROTOCOL; |
| 301 | if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV4))) | 302 | if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV4))) |
| 302 | return -IPSET_ERR_PROTOCOL; | 303 | return -IPSET_ERR_PROTOCOL; |
| @@ -314,7 +315,8 @@ ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr) | |||
| 314 | if (unlikely(!flag_nested(nla))) | 315 | if (unlikely(!flag_nested(nla))) |
| 315 | return -IPSET_ERR_PROTOCOL; | 316 | return -IPSET_ERR_PROTOCOL; |
| 316 | 317 | ||
| 317 | if (nla_parse_nested_deprecated(tb, IPSET_ATTR_IPADDR_MAX, nla, ipaddr_policy, NULL)) | 318 | if (nla_parse_nested(tb, IPSET_ATTR_IPADDR_MAX, nla, |
| 319 | ipaddr_policy, NULL)) | ||
| 318 | return -IPSET_ERR_PROTOCOL; | 320 | return -IPSET_ERR_PROTOCOL; |
| 319 | if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV6))) | 321 | if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV6))) |
| 320 | return -IPSET_ERR_PROTOCOL; | 322 | return -IPSET_ERR_PROTOCOL; |
| @@ -934,7 +936,8 @@ static int ip_set_create(struct net *net, struct sock *ctnl, | |||
| 934 | 936 | ||
| 935 | /* Without holding any locks, create private part. */ | 937 | /* Without holding any locks, create private part. */ |
| 936 | if (attr[IPSET_ATTR_DATA] && | 938 | if (attr[IPSET_ATTR_DATA] && |
| 937 | nla_parse_nested_deprecated(tb, IPSET_ATTR_CREATE_MAX, attr[IPSET_ATTR_DATA], set->type->create_policy, NULL)) { | 939 | nla_parse_nested(tb, IPSET_ATTR_CREATE_MAX, attr[IPSET_ATTR_DATA], |
| 940 | set->type->create_policy, NULL)) { | ||
| 938 | ret = -IPSET_ERR_PROTOCOL; | 941 | ret = -IPSET_ERR_PROTOCOL; |
| 939 | goto put_out; | 942 | goto put_out; |
| 940 | } | 943 | } |
| @@ -1281,6 +1284,14 @@ dump_attrs(struct nlmsghdr *nlh) | |||
| 1281 | } | 1284 | } |
| 1282 | } | 1285 | } |
| 1283 | 1286 | ||
| 1287 | static const struct nla_policy | ||
| 1288 | ip_set_dump_policy[IPSET_ATTR_CMD_MAX + 1] = { | ||
| 1289 | [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 }, | ||
| 1290 | [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING, | ||
| 1291 | .len = IPSET_MAXNAMELEN - 1 }, | ||
| 1292 | [IPSET_ATTR_FLAGS] = { .type = NLA_U32 }, | ||
| 1293 | }; | ||
| 1294 | |||
| 1284 | static int | 1295 | static int |
| 1285 | dump_init(struct netlink_callback *cb, struct ip_set_net *inst) | 1296 | dump_init(struct netlink_callback *cb, struct ip_set_net *inst) |
| 1286 | { | 1297 | { |
| @@ -1292,9 +1303,9 @@ dump_init(struct netlink_callback *cb, struct ip_set_net *inst) | |||
| 1292 | ip_set_id_t index; | 1303 | ip_set_id_t index; |
| 1293 | int ret; | 1304 | int ret; |
| 1294 | 1305 | ||
| 1295 | ret = nla_parse_deprecated(cda, IPSET_ATTR_CMD_MAX, attr, | 1306 | ret = nla_parse(cda, IPSET_ATTR_CMD_MAX, attr, |
| 1296 | nlh->nlmsg_len - min_len, | 1307 | nlh->nlmsg_len - min_len, |
| 1297 | ip_set_setname_policy, NULL); | 1308 | ip_set_dump_policy, NULL); |
| 1298 | if (ret) | 1309 | if (ret) |
| 1299 | return ret; | 1310 | return ret; |
| 1300 | 1311 | ||
| @@ -1543,9 +1554,9 @@ call_ad(struct sock *ctnl, struct sk_buff *skb, struct ip_set *set, | |||
| 1543 | memcpy(&errmsg->msg, nlh, nlh->nlmsg_len); | 1554 | memcpy(&errmsg->msg, nlh, nlh->nlmsg_len); |
| 1544 | cmdattr = (void *)&errmsg->msg + min_len; | 1555 | cmdattr = (void *)&errmsg->msg + min_len; |
| 1545 | 1556 | ||
| 1546 | ret = nla_parse_deprecated(cda, IPSET_ATTR_CMD_MAX, cmdattr, | 1557 | ret = nla_parse(cda, IPSET_ATTR_CMD_MAX, cmdattr, |
| 1547 | nlh->nlmsg_len - min_len, | 1558 | nlh->nlmsg_len - min_len, ip_set_adt_policy, |
| 1548 | ip_set_adt_policy, NULL); | 1559 | NULL); |
| 1549 | 1560 | ||
| 1550 | if (ret) { | 1561 | if (ret) { |
| 1551 | nlmsg_free(skb2); | 1562 | nlmsg_free(skb2); |
| @@ -1596,7 +1607,9 @@ static int ip_set_ad(struct net *net, struct sock *ctnl, | |||
| 1596 | 1607 | ||
| 1597 | use_lineno = !!attr[IPSET_ATTR_LINENO]; | 1608 | use_lineno = !!attr[IPSET_ATTR_LINENO]; |
| 1598 | if (attr[IPSET_ATTR_DATA]) { | 1609 | if (attr[IPSET_ATTR_DATA]) { |
| 1599 | if (nla_parse_nested_deprecated(tb, IPSET_ATTR_ADT_MAX, attr[IPSET_ATTR_DATA], set->type->adt_policy, NULL)) | 1610 | if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, |
| 1611 | attr[IPSET_ATTR_DATA], | ||
| 1612 | set->type->adt_policy, NULL)) | ||
| 1600 | return -IPSET_ERR_PROTOCOL; | 1613 | return -IPSET_ERR_PROTOCOL; |
| 1601 | ret = call_ad(ctnl, skb, set, tb, adt, flags, | 1614 | ret = call_ad(ctnl, skb, set, tb, adt, flags, |
| 1602 | use_lineno); | 1615 | use_lineno); |
| @@ -1606,7 +1619,8 @@ static int ip_set_ad(struct net *net, struct sock *ctnl, | |||
| 1606 | nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) { | 1619 | nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) { |
| 1607 | if (nla_type(nla) != IPSET_ATTR_DATA || | 1620 | if (nla_type(nla) != IPSET_ATTR_DATA || |
| 1608 | !flag_nested(nla) || | 1621 | !flag_nested(nla) || |
| 1609 | nla_parse_nested_deprecated(tb, IPSET_ATTR_ADT_MAX, nla, set->type->adt_policy, NULL)) | 1622 | nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, nla, |
| 1623 | set->type->adt_policy, NULL)) | ||
| 1610 | return -IPSET_ERR_PROTOCOL; | 1624 | return -IPSET_ERR_PROTOCOL; |
| 1611 | ret = call_ad(ctnl, skb, set, tb, adt, | 1625 | ret = call_ad(ctnl, skb, set, tb, adt, |
| 1612 | flags, use_lineno); | 1626 | flags, use_lineno); |
| @@ -1655,7 +1669,8 @@ static int ip_set_utest(struct net *net, struct sock *ctnl, struct sk_buff *skb, | |||
| 1655 | if (!set) | 1669 | if (!set) |
| 1656 | return -ENOENT; | 1670 | return -ENOENT; |
| 1657 | 1671 | ||
| 1658 | if (nla_parse_nested_deprecated(tb, IPSET_ATTR_ADT_MAX, attr[IPSET_ATTR_DATA], set->type->adt_policy, NULL)) | 1672 | if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, attr[IPSET_ATTR_DATA], |
| 1673 | set->type->adt_policy, NULL)) | ||
| 1659 | return -IPSET_ERR_PROTOCOL; | 1674 | return -IPSET_ERR_PROTOCOL; |
| 1660 | 1675 | ||
| 1661 | rcu_read_lock_bh(); | 1676 | rcu_read_lock_bh(); |
| @@ -1961,7 +1976,7 @@ static const struct nfnl_callback ip_set_netlink_subsys_cb[IPSET_MSG_MAX] = { | |||
| 1961 | [IPSET_CMD_LIST] = { | 1976 | [IPSET_CMD_LIST] = { |
| 1962 | .call = ip_set_dump, | 1977 | .call = ip_set_dump, |
| 1963 | .attr_count = IPSET_ATTR_CMD_MAX, | 1978 | .attr_count = IPSET_ATTR_CMD_MAX, |
| 1964 | .policy = ip_set_setname_policy, | 1979 | .policy = ip_set_dump_policy, |
| 1965 | }, | 1980 | }, |
| 1966 | [IPSET_CMD_SAVE] = { | 1981 | [IPSET_CMD_SAVE] = { |
| 1967 | .call = ip_set_dump, | 1982 | .call = ip_set_dump, |
diff --git a/net/netfilter/ipset/ip_set_hash_net.c b/net/netfilter/ipset/ip_set_hash_net.c index c259cbc3ef45..3d932de0ad29 100644 --- a/net/netfilter/ipset/ip_set_hash_net.c +++ b/net/netfilter/ipset/ip_set_hash_net.c | |||
| @@ -368,6 +368,7 @@ static struct ip_set_type hash_net_type __read_mostly = { | |||
| 368 | [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED }, | 368 | [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED }, |
| 369 | [IPSET_ATTR_CIDR] = { .type = NLA_U8 }, | 369 | [IPSET_ATTR_CIDR] = { .type = NLA_U8 }, |
| 370 | [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, | 370 | [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, |
| 371 | [IPSET_ATTR_LINENO] = { .type = NLA_U32 }, | ||
| 371 | [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 }, | 372 | [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 }, |
| 372 | [IPSET_ATTR_BYTES] = { .type = NLA_U64 }, | 373 | [IPSET_ATTR_BYTES] = { .type = NLA_U64 }, |
| 373 | [IPSET_ATTR_PACKETS] = { .type = NLA_U64 }, | 374 | [IPSET_ATTR_PACKETS] = { .type = NLA_U64 }, |
diff --git a/net/netfilter/ipset/ip_set_hash_netnet.c b/net/netfilter/ipset/ip_set_hash_netnet.c index a3ae69bfee66..4398322fad59 100644 --- a/net/netfilter/ipset/ip_set_hash_netnet.c +++ b/net/netfilter/ipset/ip_set_hash_netnet.c | |||
| @@ -476,6 +476,7 @@ static struct ip_set_type hash_netnet_type __read_mostly = { | |||
| 476 | [IPSET_ATTR_CIDR] = { .type = NLA_U8 }, | 476 | [IPSET_ATTR_CIDR] = { .type = NLA_U8 }, |
| 477 | [IPSET_ATTR_CIDR2] = { .type = NLA_U8 }, | 477 | [IPSET_ATTR_CIDR2] = { .type = NLA_U8 }, |
| 478 | [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, | 478 | [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, |
| 479 | [IPSET_ATTR_LINENO] = { .type = NLA_U32 }, | ||
| 479 | [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 }, | 480 | [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 }, |
| 480 | [IPSET_ATTR_BYTES] = { .type = NLA_U64 }, | 481 | [IPSET_ATTR_BYTES] = { .type = NLA_U64 }, |
| 481 | [IPSET_ATTR_PACKETS] = { .type = NLA_U64 }, | 482 | [IPSET_ATTR_PACKETS] = { .type = NLA_U64 }, |