diff options
author | Dmitry Mishin <dim@openvz.org> | 2006-12-05 16:43:50 -0500 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2006-12-06 21:39:02 -0500 |
commit | 74c9c0c17dea729d6089c0c82762babd02e65f84 (patch) | |
tree | fa3c59bcd8121b469013b49963fb561f0fa30903 /net/ipv6 | |
parent | 79066ad32be5bb2edf16733aec36acf2af03fc99 (diff) |
[NETFILTER]: Fix {ip,ip6,arp}_tables hook validation
Commit 590bdf7fd2292b47c428111cb1360e312eff207e introduced a regression
in match/target hook validation. mark_source_chains builds a bitmask
for each rule representing the hooks it can be reached from, which is
then used by the matches and targets to make sure they are only called
from valid hooks. The patch moved the match/target specific validation
before the mark_source_chains call, at which point the mask is always zero.
This patch returns back to the old order and moves the standard checks
to mark_source_chains. This allows to get rid of a special case for
standard targets as a nice side-effect.
Signed-off-by: Dmitry Mishin <dim@openvz.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6')
-rw-r--r-- | net/ipv6/netfilter/ip6_tables.c | 59 |
1 files changed, 23 insertions, 36 deletions
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index f63fb86d7c7b..4eec4b3988b8 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c | |||
@@ -440,6 +440,13 @@ mark_source_chains(struct xt_table_info *newinfo, | |||
440 | && unconditional(&e->ipv6)) { | 440 | && unconditional(&e->ipv6)) { |
441 | unsigned int oldpos, size; | 441 | unsigned int oldpos, size; |
442 | 442 | ||
443 | if (t->verdict < -NF_MAX_VERDICT - 1) { | ||
444 | duprintf("mark_source_chains: bad " | ||
445 | "negative verdict (%i)\n", | ||
446 | t->verdict); | ||
447 | return 0; | ||
448 | } | ||
449 | |||
443 | /* Return: backtrack through the last | 450 | /* Return: backtrack through the last |
444 | big jump. */ | 451 | big jump. */ |
445 | do { | 452 | do { |
@@ -477,6 +484,13 @@ mark_source_chains(struct xt_table_info *newinfo, | |||
477 | if (strcmp(t->target.u.user.name, | 484 | if (strcmp(t->target.u.user.name, |
478 | IP6T_STANDARD_TARGET) == 0 | 485 | IP6T_STANDARD_TARGET) == 0 |
479 | && newpos >= 0) { | 486 | && newpos >= 0) { |
487 | if (newpos > newinfo->size - | ||
488 | sizeof(struct ip6t_entry)) { | ||
489 | duprintf("mark_source_chains: " | ||
490 | "bad verdict (%i)\n", | ||
491 | newpos); | ||
492 | return 0; | ||
493 | } | ||
480 | /* This a jump; chase it. */ | 494 | /* This a jump; chase it. */ |
481 | duprintf("Jump rule %u -> %u\n", | 495 | duprintf("Jump rule %u -> %u\n", |
482 | pos, newpos); | 496 | pos, newpos); |
@@ -509,27 +523,6 @@ cleanup_match(struct ip6t_entry_match *m, unsigned int *i) | |||
509 | } | 523 | } |
510 | 524 | ||
511 | static inline int | 525 | static inline int |
512 | standard_check(const struct ip6t_entry_target *t, | ||
513 | unsigned int max_offset) | ||
514 | { | ||
515 | struct ip6t_standard_target *targ = (void *)t; | ||
516 | |||
517 | /* Check standard info. */ | ||
518 | if (targ->verdict >= 0 | ||
519 | && targ->verdict > max_offset - sizeof(struct ip6t_entry)) { | ||
520 | duprintf("ip6t_standard_check: bad verdict (%i)\n", | ||
521 | targ->verdict); | ||
522 | return 0; | ||
523 | } | ||
524 | if (targ->verdict < -NF_MAX_VERDICT - 1) { | ||
525 | duprintf("ip6t_standard_check: bad negative verdict (%i)\n", | ||
526 | targ->verdict); | ||
527 | return 0; | ||
528 | } | ||
529 | return 1; | ||
530 | } | ||
531 | |||
532 | static inline int | ||
533 | check_match(struct ip6t_entry_match *m, | 526 | check_match(struct ip6t_entry_match *m, |
534 | const char *name, | 527 | const char *name, |
535 | const struct ip6t_ip6 *ipv6, | 528 | const struct ip6t_ip6 *ipv6, |
@@ -616,12 +609,7 @@ check_entry(struct ip6t_entry *e, const char *name, unsigned int size, | |||
616 | if (ret) | 609 | if (ret) |
617 | goto err; | 610 | goto err; |
618 | 611 | ||
619 | if (t->u.kernel.target == &ip6t_standard_target) { | 612 | if (t->u.kernel.target->checkentry |
620 | if (!standard_check(t, size)) { | ||
621 | ret = -EINVAL; | ||
622 | goto err; | ||
623 | } | ||
624 | } else if (t->u.kernel.target->checkentry | ||
625 | && !t->u.kernel.target->checkentry(name, e, target, t->data, | 613 | && !t->u.kernel.target->checkentry(name, e, target, t->data, |
626 | e->comefrom)) { | 614 | e->comefrom)) { |
627 | duprintf("ip_tables: check failed for `%s'.\n", | 615 | duprintf("ip_tables: check failed for `%s'.\n", |
@@ -758,17 +746,19 @@ translate_table(const char *name, | |||
758 | } | 746 | } |
759 | } | 747 | } |
760 | 748 | ||
749 | if (!mark_source_chains(newinfo, valid_hooks, entry0)) | ||
750 | return -ELOOP; | ||
751 | |||
761 | /* Finally, each sanity check must pass */ | 752 | /* Finally, each sanity check must pass */ |
762 | i = 0; | 753 | i = 0; |
763 | ret = IP6T_ENTRY_ITERATE(entry0, newinfo->size, | 754 | ret = IP6T_ENTRY_ITERATE(entry0, newinfo->size, |
764 | check_entry, name, size, &i); | 755 | check_entry, name, size, &i); |
765 | 756 | ||
766 | if (ret != 0) | 757 | if (ret != 0) { |
767 | goto cleanup; | 758 | IP6T_ENTRY_ITERATE(entry0, newinfo->size, |
768 | 759 | cleanup_entry, &i); | |
769 | ret = -ELOOP; | 760 | return ret; |
770 | if (!mark_source_chains(newinfo, valid_hooks, entry0)) | 761 | } |
771 | goto cleanup; | ||
772 | 762 | ||
773 | /* And one copy for every other CPU */ | 763 | /* And one copy for every other CPU */ |
774 | for_each_possible_cpu(i) { | 764 | for_each_possible_cpu(i) { |
@@ -777,9 +767,6 @@ translate_table(const char *name, | |||
777 | } | 767 | } |
778 | 768 | ||
779 | return 0; | 769 | return 0; |
780 | cleanup: | ||
781 | IP6T_ENTRY_ITERATE(entry0, newinfo->size, cleanup_entry, &i); | ||
782 | return ret; | ||
783 | } | 770 | } |
784 | 771 | ||
785 | /* Gets counters. */ | 772 | /* Gets counters. */ |