diff options
| author | Daniel Borkmann <dborkman@redhat.com> | 2013-06-12 11:54:51 -0400 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-06-20 05:20:13 -0400 |
| commit | 130ffbc2638ddc290fcbabe1b9ce6a5d333a6a97 (patch) | |
| tree | 79f5f278a8c98d2c569772bb5f7d72836da795d3 /net/netfilter | |
| parent | fedaf4ffc224a194e2d13a3ec2abe5df0bc94258 (diff) | |
netfilter: check return code from nla_parse_tested
These are the only calls under net/ that do not check nla_parse_nested()
for its error code, but simply continue execution. If parsing of netlink
attributes fails, we should return with an error instead of continuing.
In nearly all of these calls we have a policy attached, that is being
type verified during nla_parse_nested(), which we would miss checking
for otherwise.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter')
| -rw-r--r-- | net/netfilter/nf_conntrack_netlink.c | 30 | ||||
| -rw-r--r-- | net/netfilter/nfnetlink_cthelper.c | 16 | ||||
| -rw-r--r-- | net/netfilter/nfnetlink_cttimeout.c | 6 |
3 files changed, 39 insertions, 13 deletions
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 6d0f8a17c5b7..f83a52298efe 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c | |||
| @@ -828,7 +828,9 @@ ctnetlink_parse_tuple_ip(struct nlattr *attr, struct nf_conntrack_tuple *tuple) | |||
| 828 | struct nf_conntrack_l3proto *l3proto; | 828 | struct nf_conntrack_l3proto *l3proto; |
| 829 | int ret = 0; | 829 | int ret = 0; |
| 830 | 830 | ||
| 831 | nla_parse_nested(tb, CTA_IP_MAX, attr, NULL); | 831 | ret = nla_parse_nested(tb, CTA_IP_MAX, attr, NULL); |
| 832 | if (ret < 0) | ||
| 833 | return ret; | ||
| 832 | 834 | ||
| 833 | rcu_read_lock(); | 835 | rcu_read_lock(); |
| 834 | l3proto = __nf_ct_l3proto_find(tuple->src.l3num); | 836 | l3proto = __nf_ct_l3proto_find(tuple->src.l3num); |
| @@ -895,7 +897,9 @@ ctnetlink_parse_tuple(const struct nlattr * const cda[], | |||
| 895 | 897 | ||
| 896 | memset(tuple, 0, sizeof(*tuple)); | 898 | memset(tuple, 0, sizeof(*tuple)); |
| 897 | 899 | ||
| 898 | nla_parse_nested(tb, CTA_TUPLE_MAX, cda[type], tuple_nla_policy); | 900 | err = nla_parse_nested(tb, CTA_TUPLE_MAX, cda[type], tuple_nla_policy); |
| 901 | if (err < 0) | ||
| 902 | return err; | ||
| 899 | 903 | ||
| 900 | if (!tb[CTA_TUPLE_IP]) | 904 | if (!tb[CTA_TUPLE_IP]) |
| 901 | return -EINVAL; | 905 | return -EINVAL; |
| @@ -946,9 +950,12 @@ static inline int | |||
| 946 | ctnetlink_parse_help(const struct nlattr *attr, char **helper_name, | 950 | ctnetlink_parse_help(const struct nlattr *attr, char **helper_name, |
| 947 | struct nlattr **helpinfo) | 951 | struct nlattr **helpinfo) |
| 948 | { | 952 | { |
| 953 | int err; | ||
| 949 | struct nlattr *tb[CTA_HELP_MAX+1]; | 954 | struct nlattr *tb[CTA_HELP_MAX+1]; |
| 950 | 955 | ||
| 951 | nla_parse_nested(tb, CTA_HELP_MAX, attr, help_nla_policy); | 956 | err = nla_parse_nested(tb, CTA_HELP_MAX, attr, help_nla_policy); |
| 957 | if (err < 0) | ||
| 958 | return err; | ||
| 952 | 959 | ||
| 953 | if (!tb[CTA_HELP_NAME]) | 960 | if (!tb[CTA_HELP_NAME]) |
| 954 | return -EINVAL; | 961 | return -EINVAL; |
| @@ -1431,7 +1438,9 @@ ctnetlink_change_protoinfo(struct nf_conn *ct, const struct nlattr * const cda[] | |||
| 1431 | struct nf_conntrack_l4proto *l4proto; | 1438 | struct nf_conntrack_l4proto *l4proto; |
| 1432 | int err = 0; | 1439 | int err = 0; |
| 1433 | 1440 | ||
| 1434 | nla_parse_nested(tb, CTA_PROTOINFO_MAX, attr, protoinfo_policy); | 1441 | err = nla_parse_nested(tb, CTA_PROTOINFO_MAX, attr, protoinfo_policy); |
| 1442 | if (err < 0) | ||
| 1443 | return err; | ||
| 1435 | 1444 | ||
| 1436 | rcu_read_lock(); | 1445 | rcu_read_lock(); |
| 1437 | l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct)); | 1446 | l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct)); |
| @@ -1452,9 +1461,12 @@ static const struct nla_policy nat_seq_policy[CTA_NAT_SEQ_MAX+1] = { | |||
| 1452 | static inline int | 1461 | static inline int |
| 1453 | change_nat_seq_adj(struct nf_nat_seq *natseq, const struct nlattr * const attr) | 1462 | change_nat_seq_adj(struct nf_nat_seq *natseq, const struct nlattr * const attr) |
| 1454 | { | 1463 | { |
| 1464 | int err; | ||
| 1455 | struct nlattr *cda[CTA_NAT_SEQ_MAX+1]; | 1465 | struct nlattr *cda[CTA_NAT_SEQ_MAX+1]; |
| 1456 | 1466 | ||
| 1457 | nla_parse_nested(cda, CTA_NAT_SEQ_MAX, attr, nat_seq_policy); | 1467 | err = nla_parse_nested(cda, CTA_NAT_SEQ_MAX, attr, nat_seq_policy); |
| 1468 | if (err < 0) | ||
| 1469 | return err; | ||
| 1458 | 1470 | ||
| 1459 | if (!cda[CTA_NAT_SEQ_CORRECTION_POS]) | 1471 | if (!cda[CTA_NAT_SEQ_CORRECTION_POS]) |
| 1460 | return -EINVAL; | 1472 | return -EINVAL; |
| @@ -2115,7 +2127,9 @@ ctnetlink_nfqueue_parse(const struct nlattr *attr, struct nf_conn *ct) | |||
| 2115 | struct nlattr *cda[CTA_MAX+1]; | 2127 | struct nlattr *cda[CTA_MAX+1]; |
| 2116 | int ret; | 2128 | int ret; |
| 2117 | 2129 | ||
| 2118 | nla_parse_nested(cda, CTA_MAX, attr, ct_nla_policy); | 2130 | ret = nla_parse_nested(cda, CTA_MAX, attr, ct_nla_policy); |
| 2131 | if (ret < 0) | ||
| 2132 | return ret; | ||
| 2119 | 2133 | ||
| 2120 | spin_lock_bh(&nf_conntrack_lock); | 2134 | spin_lock_bh(&nf_conntrack_lock); |
| 2121 | ret = ctnetlink_nfqueue_parse_ct((const struct nlattr **)cda, ct); | 2135 | ret = ctnetlink_nfqueue_parse_ct((const struct nlattr **)cda, ct); |
| @@ -2710,7 +2724,9 @@ ctnetlink_parse_expect_nat(const struct nlattr *attr, | |||
| 2710 | struct nf_conntrack_tuple nat_tuple = {}; | 2724 | struct nf_conntrack_tuple nat_tuple = {}; |
| 2711 | int err; | 2725 | int err; |
| 2712 | 2726 | ||
| 2713 | nla_parse_nested(tb, CTA_EXPECT_NAT_MAX, attr, exp_nat_nla_policy); | 2727 | err = nla_parse_nested(tb, CTA_EXPECT_NAT_MAX, attr, exp_nat_nla_policy); |
| 2728 | if (err < 0) | ||
| 2729 | return err; | ||
| 2714 | 2730 | ||
| 2715 | if (!tb[CTA_EXPECT_NAT_DIR] || !tb[CTA_EXPECT_NAT_TUPLE]) | 2731 | if (!tb[CTA_EXPECT_NAT_DIR] || !tb[CTA_EXPECT_NAT_TUPLE]) |
| 2716 | return -EINVAL; | 2732 | return -EINVAL; |
diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c index a191b6db657e..9e287cb56a04 100644 --- a/net/netfilter/nfnetlink_cthelper.c +++ b/net/netfilter/nfnetlink_cthelper.c | |||
| @@ -67,9 +67,12 @@ static int | |||
| 67 | nfnl_cthelper_parse_tuple(struct nf_conntrack_tuple *tuple, | 67 | nfnl_cthelper_parse_tuple(struct nf_conntrack_tuple *tuple, |
| 68 | const struct nlattr *attr) | 68 | const struct nlattr *attr) |
| 69 | { | 69 | { |
| 70 | int err; | ||
| 70 | struct nlattr *tb[NFCTH_TUPLE_MAX+1]; | 71 | struct nlattr *tb[NFCTH_TUPLE_MAX+1]; |
| 71 | 72 | ||
| 72 | nla_parse_nested(tb, NFCTH_TUPLE_MAX, attr, nfnl_cthelper_tuple_pol); | 73 | err = nla_parse_nested(tb, NFCTH_TUPLE_MAX, attr, nfnl_cthelper_tuple_pol); |
| 74 | if (err < 0) | ||
| 75 | return err; | ||
| 73 | 76 | ||
| 74 | if (!tb[NFCTH_TUPLE_L3PROTONUM] || !tb[NFCTH_TUPLE_L4PROTONUM]) | 77 | if (!tb[NFCTH_TUPLE_L3PROTONUM] || !tb[NFCTH_TUPLE_L4PROTONUM]) |
| 75 | return -EINVAL; | 78 | return -EINVAL; |
| @@ -121,9 +124,12 @@ static int | |||
| 121 | nfnl_cthelper_expect_policy(struct nf_conntrack_expect_policy *expect_policy, | 124 | nfnl_cthelper_expect_policy(struct nf_conntrack_expect_policy *expect_policy, |
| 122 | const struct nlattr *attr) | 125 | const struct nlattr *attr) |
| 123 | { | 126 | { |
| 127 | int err; | ||
| 124 | struct nlattr *tb[NFCTH_POLICY_MAX+1]; | 128 | struct nlattr *tb[NFCTH_POLICY_MAX+1]; |
| 125 | 129 | ||
| 126 | nla_parse_nested(tb, NFCTH_POLICY_MAX, attr, nfnl_cthelper_expect_pol); | 130 | err = nla_parse_nested(tb, NFCTH_POLICY_MAX, attr, nfnl_cthelper_expect_pol); |
| 131 | if (err < 0) | ||
| 132 | return err; | ||
| 127 | 133 | ||
| 128 | if (!tb[NFCTH_POLICY_NAME] || | 134 | if (!tb[NFCTH_POLICY_NAME] || |
| 129 | !tb[NFCTH_POLICY_EXPECT_MAX] || | 135 | !tb[NFCTH_POLICY_EXPECT_MAX] || |
| @@ -153,8 +159,10 @@ nfnl_cthelper_parse_expect_policy(struct nf_conntrack_helper *helper, | |||
| 153 | struct nf_conntrack_expect_policy *expect_policy; | 159 | struct nf_conntrack_expect_policy *expect_policy; |
| 154 | struct nlattr *tb[NFCTH_POLICY_SET_MAX+1]; | 160 | struct nlattr *tb[NFCTH_POLICY_SET_MAX+1]; |
| 155 | 161 | ||
| 156 | nla_parse_nested(tb, NFCTH_POLICY_SET_MAX, attr, | 162 | ret = nla_parse_nested(tb, NFCTH_POLICY_SET_MAX, attr, |
| 157 | nfnl_cthelper_expect_policy_set); | 163 | nfnl_cthelper_expect_policy_set); |
| 164 | if (ret < 0) | ||
| 165 | return ret; | ||
| 158 | 166 | ||
| 159 | if (!tb[NFCTH_POLICY_SET_NUM]) | 167 | if (!tb[NFCTH_POLICY_SET_NUM]) |
| 160 | return -EINVAL; | 168 | return -EINVAL; |
diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c index 65074dfb9383..50580494148d 100644 --- a/net/netfilter/nfnetlink_cttimeout.c +++ b/net/netfilter/nfnetlink_cttimeout.c | |||
| @@ -59,8 +59,10 @@ ctnl_timeout_parse_policy(struct ctnl_timeout *timeout, | |||
| 59 | if (likely(l4proto->ctnl_timeout.nlattr_to_obj)) { | 59 | if (likely(l4proto->ctnl_timeout.nlattr_to_obj)) { |
| 60 | struct nlattr *tb[l4proto->ctnl_timeout.nlattr_max+1]; | 60 | struct nlattr *tb[l4proto->ctnl_timeout.nlattr_max+1]; |
| 61 | 61 | ||
| 62 | nla_parse_nested(tb, l4proto->ctnl_timeout.nlattr_max, | 62 | ret = nla_parse_nested(tb, l4proto->ctnl_timeout.nlattr_max, |
| 63 | attr, l4proto->ctnl_timeout.nla_policy); | 63 | attr, l4proto->ctnl_timeout.nla_policy); |
| 64 | if (ret < 0) | ||
| 65 | return ret; | ||
| 64 | 66 | ||
| 65 | ret = l4proto->ctnl_timeout.nlattr_to_obj(tb, net, | 67 | ret = l4proto->ctnl_timeout.nlattr_to_obj(tb, net, |
| 66 | &timeout->data); | 68 | &timeout->data); |