[NETFILTER]: Change {ip,ip6,arp}_tables to use centralized error checking

Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Patrick McHardy <kaber@trash.net> 2006-03-20 21:00:36 -0500
committer: David S. Miller <davem@davemloft.net> 2006-03-20 21:00:36 -0500
commit: 3cdc7c953eb1e1e1d1b82adbd140bf3451c165b1 (patch)
tree: 82d44723c94904d52fc5234eaaa505688bdf0dc3 /net/ipv4
parent: 37f9f7334b86ffc3b8a1921842ae33cb9aa22ee3 (diff)
2 files changed, 29 insertions, 8 deletions
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 7d7ab94a7a2e..2fdf75da7a70 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -480,6 +480,11 @@ static inline int check_entry(struct arpt_entry *e, const char *name, unsigned i
        }
        t->u.kernel.target = target;
+        ret = xt_check_target(target, NF_ARP, t->u.target_size - sizeof(*t),
+                              name, e->comefrom, 0, 0);
+        if (ret)
+                goto err;
        if (t->u.kernel.target == &arpt_standard_target) {
                if (!standard_check(t, size)) {
                        ret = -EINVAL;
@@ -490,16 +495,16 @@ static inline int check_entry(struct arpt_entry *e, const char *name, unsigned i
                                                      t->u.target_size
                                                      - sizeof(*t),
                                                      e->comefrom)) {
-                module_put(t->u.kernel.target->me);
                duprintf("arp_tables: check failed for `%s'.\n",
                         t->u.kernel.target->name);
                ret = -EINVAL;
-                goto out;
+                goto err;
        }
        (*i)++;
        return 0;
+err:
+        module_put(t->u.kernel.target->me);
 out:
        return ret;
 }
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 16f47c675fef..f884ca223295 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -508,6 +508,7 @@ check_match(struct ipt_entry_match *m,
            unsigned int *i)
 {
        struct ipt_match *match;
+        int ret;
        match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
                                                   m->u.user.revision),
@@ -518,18 +519,27 @@ check_match(struct ipt_entry_match *m,
        }
        m->u.kernel.match = match;
+        ret = xt_check_match(match, AF_INET, m->u.match_size - sizeof(*m),
+                             name, hookmask, ip->proto,
+                             ip->invflags & IPT_INV_PROTO);
+        if (ret)
+                goto err;
        if (m->u.kernel.match->checkentry
            && !m->u.kernel.match->checkentry(name, ip, m->data,
                                              m->u.match_size - sizeof(*m),
                                              hookmask)) {
-                module_put(m->u.kernel.match->me);
                duprintf("ip_tables: check failed for `%s'.\n",
                         m->u.kernel.match->name);
-                return -EINVAL;
+                ret = -EINVAL;
+                goto err;
        }
        (*i)++;
        return 0;
+err:
+        module_put(m->u.kernel.match->me);
+        return ret;
 }
 static struct ipt_target ipt_standard_target;
@@ -565,6 +575,12 @@ check_entry(struct ipt_entry *e, const char *name, unsigned int size,
        }
        t->u.kernel.target = target;
+        ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),
+                              name, e->comefrom, e->ip.proto,
+                              e->ip.invflags & IPT_INV_PROTO);
+        if (ret)
+                goto err;
        if (t->u.kernel.target == &ipt_standard_target) {
                if (!standard_check(t, size)) {
                        ret = -EINVAL;
@@ -575,16 +591,16 @@ check_entry(struct ipt_entry *e, const char *name, unsigned int size,
                                                      t->u.target_size
                                                      - sizeof(*t),
                                                      e->comefrom)) {
-                module_put(t->u.kernel.target->me);
                duprintf("ip_tables: check failed for `%s'.\n",
                         t->u.kernel.target->name);
                ret = -EINVAL;
-                goto cleanup_matches;
+                goto err;
        }
        (*i)++;
        return 0;
+ err:
+        module_put(t->u.kernel.target->me);
 cleanup_matches:
        IPT_MATCH_ITERATE(e, cleanup_match, &j);
        return ret;
author	Patrick McHardy <kaber@trash.net>	2006-03-20 21:00:36 -0500
committer	David S. Miller <davem@davemloft.net>	2006-03-20 21:00:36 -0500
commit	3cdc7c953eb1e1e1d1b82adbd140bf3451c165b1 (patch)
tree	82d44723c94904d52fc5234eaaa505688bdf0dc3 /net/ipv4
parent	37f9f7334b86ffc3b8a1921842ae33cb9aa22ee3 (diff)

diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index 7d7ab94a7a2e..2fdf75da7a70 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c
@@ -480,6 +480,11 @@ static inline int check_entry(struct arpt_entry e, const char name, unsigned i
480	}	480	}
481	t->u.kernel.target = target;	481	t->u.kernel.target = target;
482		482
		483	ret = xt_check_target(target, NF_ARP, t->u.target_size - sizeof(*t),
		484	name, e->comefrom, 0, 0);
		485	if (ret)
		486	goto err;
		487
483	if (t->u.kernel.target == &arpt_standard_target) {	488	if (t->u.kernel.target == &arpt_standard_target) {
484	if (!standard_check(t, size)) {	489	if (!standard_check(t, size)) {
485	ret = -EINVAL;	490	ret = -EINVAL;
@@ -490,16 +495,16 @@ static inline int check_entry(struct arpt_entry e, const char name, unsigned i
490	t->u.target_size	495	t->u.target_size
491	- sizeof(*t),	496	- sizeof(*t),
492	e->comefrom)) {	497	e->comefrom)) {
493	module_put(t->u.kernel.target->me);
494	duprintf("arp_tables: check failed for `%s'.\n",	498	duprintf("arp_tables: check failed for `%s'.\n",
495	t->u.kernel.target->name);	499	t->u.kernel.target->name);
496	ret = -EINVAL;	500	ret = -EINVAL;
497	goto out;	501	goto err;
498	}	502	}
499		503
500	(*i)++;	504	(*i)++;
501	return 0;	505	return 0;
502		506	err:
		507	module_put(t->u.kernel.target->me);
503	out:	508	out:
504	return ret;	509	return ret;
505	}	510	}


diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index 16f47c675fef..f884ca223295 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c
@@ -508,6 +508,7 @@ check_match(struct ipt_entry_match *m,
508	unsigned int *i)	508	unsigned int *i)
509	{	509	{
510	struct ipt_match *match;	510	struct ipt_match *match;
		511	int ret;
511		512
512	match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,	513	match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
513	m->u.user.revision),	514	m->u.user.revision),
@@ -518,18 +519,27 @@ check_match(struct ipt_entry_match *m,
518	}	519	}
519	m->u.kernel.match = match;	520	m->u.kernel.match = match;
520		521
		522	ret = xt_check_match(match, AF_INET, m->u.match_size - sizeof(*m),
		523	name, hookmask, ip->proto,
		524	ip->invflags & IPT_INV_PROTO);
		525	if (ret)
		526	goto err;
		527
521	if (m->u.kernel.match->checkentry	528	if (m->u.kernel.match->checkentry
522	&& !m->u.kernel.match->checkentry(name, ip, m->data,	529	&& !m->u.kernel.match->checkentry(name, ip, m->data,
523	m->u.match_size - sizeof(*m),	530	m->u.match_size - sizeof(*m),
524	hookmask)) {	531	hookmask)) {
525	module_put(m->u.kernel.match->me);
526	duprintf("ip_tables: check failed for `%s'.\n",	532	duprintf("ip_tables: check failed for `%s'.\n",
527	m->u.kernel.match->name);	533	m->u.kernel.match->name);
528	return -EINVAL;	534	ret = -EINVAL;
		535	goto err;
529	}	536	}
530		537
531	(*i)++;	538	(*i)++;
532	return 0;	539	return 0;
		540	err:
		541	module_put(m->u.kernel.match->me);
		542	return ret;
533	}	543	}
534		544
535	static struct ipt_target ipt_standard_target;	545	static struct ipt_target ipt_standard_target;
@@ -565,6 +575,12 @@ check_entry(struct ipt_entry e, const char name, unsigned int size,
565	}	575	}
566	t->u.kernel.target = target;	576	t->u.kernel.target = target;
567		577
		578	ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),
		579	name, e->comefrom, e->ip.proto,
		580	e->ip.invflags & IPT_INV_PROTO);
		581	if (ret)
		582	goto err;
		583
568	if (t->u.kernel.target == &ipt_standard_target) {	584	if (t->u.kernel.target == &ipt_standard_target) {
569	if (!standard_check(t, size)) {	585	if (!standard_check(t, size)) {
570	ret = -EINVAL;	586	ret = -EINVAL;
@@ -575,16 +591,16 @@ check_entry(struct ipt_entry e, const char name, unsigned int size,
575	t->u.target_size	591	t->u.target_size
576	- sizeof(*t),	592	- sizeof(*t),
577	e->comefrom)) {	593	e->comefrom)) {
578	module_put(t->u.kernel.target->me);
579	duprintf("ip_tables: check failed for `%s'.\n",	594	duprintf("ip_tables: check failed for `%s'.\n",
580	t->u.kernel.target->name);	595	t->u.kernel.target->name);
581	ret = -EINVAL;	596	ret = -EINVAL;
582	goto cleanup_matches;	597	goto err;
583	}	598	}
584		599
585	(*i)++;	600	(*i)++;
586	return 0;	601	return 0;
587		602	err:
		603	module_put(t->u.kernel.target->me);
588	cleanup_matches:	604	cleanup_matches:
589	IPT_MATCH_ITERATE(e, cleanup_match, &j);	605	IPT_MATCH_ITERATE(e, cleanup_match, &j);
590	return ret;	606	return ret;