[NETFILTER]: Fix {ip,ip6,arp}_tables hook validation

Commit 590bdf7fd2292b47c428111cb1360e312eff207e introduced a regression in match/target hook validation. mark_source_chains builds a bitmask for each rule representing the hooks it can be reached from, which is then used by the matches and targets to make sure they are only called from valid hooks. The patch moved the match/target specific validation before the mark_source_chains call, at which point the mask is always zero. This patch returns back to the old order and moves the standard checks to mark_source_chains. This allows to get rid of a special case for standard targets as a nice side-effect. Signed-off-by: Dmitry Mishin <dim@openvz.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Dmitry Mishin <dim@openvz.org> 2006-12-05 16:43:50 -0500
committer: David S. Miller <davem@sunset.davemloft.net> 2006-12-06 21:39:02 -0500
commit: 74c9c0c17dea729d6089c0c82762babd02e65f84 (patch)
tree: fa3c59bcd8121b469013b49963fb561f0fa30903 /net/ipv6
parent: 79066ad32be5bb2edf16733aec36acf2af03fc99 (diff)
1 files changed, 23 insertions, 36 deletions
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index f63fb86d7c7b..4eec4b3988b8 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -440,6 +440,13 @@ mark_source_chains(struct xt_table_info *newinfo,
                            && unconditional(&e->ipv6)) {
                                unsigned int oldpos, size;
+                                if (t->verdict < -NF_MAX_VERDICT - 1) {
+                                        duprintf("mark_source_chains: bad "
+                                                "negative verdict (%i)\n",
+                                                                t->verdict);
+                                        return 0;
+                                }
                                /* Return: backtrack through the last
                                   big jump. */
                                do {
@@ -477,6 +484,13 @@ mark_source_chains(struct xt_table_info *newinfo,
                                if (strcmp(t->target.u.user.name,
                                           IP6T_STANDARD_TARGET) == 0
                                    && newpos >= 0) {
+                                        if (newpos > newinfo->size -
+                                                sizeof(struct ip6t_entry)) {
+                                                duprintf("mark_source_chains: "
+                                                        "bad verdict (%i)\n",
+                                                                newpos);
+                                                return 0;
+                                        }
                                        /* This a jump; chase it. */
                                        duprintf("Jump rule %u -> %u\n",
                                                 pos, newpos);
@@ -509,27 +523,6 @@ cleanup_match(struct ip6t_entry_match *m, unsigned int *i)
 }
 static inline int
-standard_check(const struct ip6t_entry_target *t,
-               unsigned int max_offset)
-{
-        struct ip6t_standard_target *targ = (void *)t;
-        /* Check standard info. */
-        if (targ->verdict >= 0
-            && targ->verdict > max_offset - sizeof(struct ip6t_entry)) {
-                duprintf("ip6t_standard_check: bad verdict (%i)\n",
-                         targ->verdict);
-                return 0;
-        }
-        if (targ->verdict < -NF_MAX_VERDICT - 1) {
-                duprintf("ip6t_standard_check: bad negative verdict (%i)\n",
-                         targ->verdict);
-                return 0;
-        }
-        return 1;
-}
-static inline int
 check_match(struct ip6t_entry_match *m,
            const char *name,
            const struct ip6t_ip6 *ipv6,
@@ -616,12 +609,7 @@ check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
        if (ret)
                goto err;
-        if (t->u.kernel.target == &ip6t_standard_target) {
+        if (t->u.kernel.target->checkentry
-                if (!standard_check(t, size)) {
-                        ret = -EINVAL;
-                        goto err;
-                }
-        } else if (t->u.kernel.target->checkentry
                   && !t->u.kernel.target->checkentry(name, e, target, t->data,
                                                      e->comefrom)) {
                duprintf("ip_tables: check failed for `%s'.\n",
@@ -758,17 +746,19 @@ translate_table(const char *name,
                }
        }
+        if (!mark_source_chains(newinfo, valid_hooks, entry0))
+                return -ELOOP;
        /* Finally, each sanity check must pass */
        i = 0;
        ret = IP6T_ENTRY_ITERATE(entry0, newinfo->size,
                                check_entry, name, size, &i);
-        if (ret != 0)
+        if (ret != 0) {
-                goto cleanup;
+                IP6T_ENTRY_ITERATE(entry0, newinfo->size,
+                                   cleanup_entry, &i);
-        ret = -ELOOP;
+                return ret;
-        if (!mark_source_chains(newinfo, valid_hooks, entry0))
+        }
-                goto cleanup;
        /* And one copy for every other CPU */
        for_each_possible_cpu(i) {
@@ -777,9 +767,6 @@ translate_table(const char *name,
        }
        return 0;
-cleanup:
-        IP6T_ENTRY_ITERATE(entry0, newinfo->size, cleanup_entry, &i);
-        return ret;
 }
 /* Gets counters. */
author	Dmitry Mishin <dim@openvz.org>	2006-12-05 16:43:50 -0500
committer	David S. Miller <davem@sunset.davemloft.net>	2006-12-06 21:39:02 -0500
commit	74c9c0c17dea729d6089c0c82762babd02e65f84 (patch)
tree	fa3c59bcd8121b469013b49963fb561f0fa30903 /net/ipv6
parent	79066ad32be5bb2edf16733aec36acf2af03fc99 (diff)

diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index f63fb86d7c7b..4eec4b3988b8 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c
@@ -440,6 +440,13 @@ mark_source_chains(struct xt_table_info *newinfo,
440	&& unconditional(&e->ipv6)) {	440	&& unconditional(&e->ipv6)) {
441	unsigned int oldpos, size;	441	unsigned int oldpos, size;
442		442
		443	if (t->verdict < -NF_MAX_VERDICT - 1) {
		444	duprintf("mark_source_chains: bad "
		445	"negative verdict (%i)\n",
		446	t->verdict);
		447	return 0;
		448	}
		449
443	/* Return: backtrack through the last	450	/* Return: backtrack through the last
444	big jump. */	451	big jump. */
445	do {	452	do {
@@ -477,6 +484,13 @@ mark_source_chains(struct xt_table_info *newinfo,
477	if (strcmp(t->target.u.user.name,	484	if (strcmp(t->target.u.user.name,
478	IP6T_STANDARD_TARGET) == 0	485	IP6T_STANDARD_TARGET) == 0
479	&& newpos >= 0) {	486	&& newpos >= 0) {
		487	if (newpos > newinfo->size -
		488	sizeof(struct ip6t_entry)) {
		489	duprintf("mark_source_chains: "
		490	"bad verdict (%i)\n",
		491	newpos);
		492	return 0;
		493	}
480	/* This a jump; chase it. */	494	/* This a jump; chase it. */
481	duprintf("Jump rule %u -> %u\n",	495	duprintf("Jump rule %u -> %u\n",
482	pos, newpos);	496	pos, newpos);
@@ -509,27 +523,6 @@ cleanup_match(struct ip6t_entry_match m, unsigned int i)
509	}	523	}
510		524
511	static inline int	525	static inline int
512	standard_check(const struct ip6t_entry_target *t,
513	unsigned int max_offset)
514	{
515	struct ip6t_standard_target targ = (void )t;
516
517	/* Check standard info. */
518	if (targ->verdict >= 0
519	&& targ->verdict > max_offset - sizeof(struct ip6t_entry)) {
520	duprintf("ip6t_standard_check: bad verdict (%i)\n",
521	targ->verdict);
522	return 0;
523	}
524	if (targ->verdict < -NF_MAX_VERDICT - 1) {
525	duprintf("ip6t_standard_check: bad negative verdict (%i)\n",
526	targ->verdict);
527	return 0;
528	}
529	return 1;
530	}
531
532	static inline int
533	check_match(struct ip6t_entry_match *m,	526	check_match(struct ip6t_entry_match *m,
534	const char *name,	527	const char *name,
535	const struct ip6t_ip6 *ipv6,	528	const struct ip6t_ip6 *ipv6,
@@ -616,12 +609,7 @@ check_entry(struct ip6t_entry e, const char name, unsigned int size,
616	if (ret)	609	if (ret)
617	goto err;	610	goto err;
618		611
619	if (t->u.kernel.target == &ip6t_standard_target) {	612	if (t->u.kernel.target->checkentry
620	if (!standard_check(t, size)) {
621	ret = -EINVAL;
622	goto err;
623	}
624	} else if (t->u.kernel.target->checkentry
625	&& !t->u.kernel.target->checkentry(name, e, target, t->data,	613	&& !t->u.kernel.target->checkentry(name, e, target, t->data,
626	e->comefrom)) {	614	e->comefrom)) {
627	duprintf("ip_tables: check failed for `%s'.\n",	615	duprintf("ip_tables: check failed for `%s'.\n",
@@ -758,17 +746,19 @@ translate_table(const char *name,
758	}	746	}
759	}	747	}
760		748
		749	if (!mark_source_chains(newinfo, valid_hooks, entry0))
		750	return -ELOOP;
		751
761	/* Finally, each sanity check must pass */	752	/* Finally, each sanity check must pass */
762	i = 0;	753	i = 0;
763	ret = IP6T_ENTRY_ITERATE(entry0, newinfo->size,	754	ret = IP6T_ENTRY_ITERATE(entry0, newinfo->size,
764	check_entry, name, size, &i);	755	check_entry, name, size, &i);
765		756
766	if (ret != 0)	757	if (ret != 0) {
767	goto cleanup;	758	IP6T_ENTRY_ITERATE(entry0, newinfo->size,
768		759	cleanup_entry, &i);
769	ret = -ELOOP;	760	return ret;
770	if (!mark_source_chains(newinfo, valid_hooks, entry0))	761	}
771	goto cleanup;
772		762
773	/* And one copy for every other CPU */	763	/* And one copy for every other CPU */
774	for_each_possible_cpu(i) {	764	for_each_possible_cpu(i) {
@@ -777,9 +767,6 @@ translate_table(const char *name,
777	}	767	}
778		768
779	return 0;	769	return 0;
780	cleanup:
781	IP6T_ENTRY_ITERATE(entry0, newinfo->size, cleanup_entry, &i);
782	return ret;
783	}	770	}
784		771
785	/* Gets counters. */	772	/* Gets counters. */