tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
netfilter: nf_tables: limit allowed range via nla_policy
These NLA_U32 types get stored in u8 fields, reject invalid values
instead of silently casting to u8.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
authored by
Florian Westphal
and committed by
Pablo Neira Ayuso
a412dbf4
079cd633
+21
-21
+1
-1
net/netfilter/nft_bitwise.c
+1
-1
net/netfilter/nft_bitwise.c
···
86
86
[NFTA_BITWISE_LEN] = { .type = NLA_U32 },
87
87
[NFTA_BITWISE_MASK] = { .type = NLA_NESTED },
88
88
[NFTA_BITWISE_XOR] = { .type = NLA_NESTED },
89
-
[NFTA_BITWISE_OP] = { .type = NLA_U32 },
89
+
[NFTA_BITWISE_OP] = NLA_POLICY_MAX(NLA_BE32, 255),
90
90
[NFTA_BITWISE_DATA] = { .type = NLA_NESTED },
91
91
};
92
92
+3
-3
net/netfilter/nft_byteorder.c
+3
-3
net/netfilter/nft_byteorder.c
···
88
88
static const struct nla_policy nft_byteorder_policy[NFTA_BYTEORDER_MAX + 1] = {
89
89
[NFTA_BYTEORDER_SREG] = { .type = NLA_U32 },
90
90
[NFTA_BYTEORDER_DREG] = { .type = NLA_U32 },
91
-
[NFTA_BYTEORDER_OP] = { .type = NLA_U32 },
92
-
[NFTA_BYTEORDER_LEN] = { .type = NLA_U32 },
93
-
[NFTA_BYTEORDER_SIZE] = { .type = NLA_U32 },
91
+
[NFTA_BYTEORDER_OP] = NLA_POLICY_MAX(NLA_BE32, 255),
92
+
[NFTA_BYTEORDER_LEN] = NLA_POLICY_MAX(NLA_BE32, 255),
93
+
[NFTA_BYTEORDER_SIZE] = NLA_POLICY_MAX(NLA_BE32, 255),
94
94
};
95
95
96
96
static int nft_byteorder_init(const struct nft_ctx *ctx,
+1
-1
net/netfilter/nft_ct.c
+1
-1
net/netfilter/nft_ct.c
···
332
332
333
333
static const struct nla_policy nft_ct_policy[NFTA_CT_MAX + 1] = {
334
334
[NFTA_CT_DREG] = { .type = NLA_U32 },
335
-
[NFTA_CT_KEY] = { .type = NLA_U32 },
335
+
[NFTA_CT_KEY] = NLA_POLICY_MAX(NLA_BE32, 255),
336
336
[NFTA_CT_DIRECTION] = { .type = NLA_U8 },
337
337
[NFTA_CT_SREG] = { .type = NLA_U32 },
338
338
};
+1
-1
net/netfilter/nft_dynset.c
+1
-1
net/netfilter/nft_dynset.c
···
148
148
[NFTA_DYNSET_SET_NAME] = { .type = NLA_STRING,
149
149
.len = NFT_SET_MAXNAMELEN - 1 },
150
150
[NFTA_DYNSET_SET_ID] = { .type = NLA_U32 },
151
-
[NFTA_DYNSET_OP] = { .type = NLA_U32 },
151
+
[NFTA_DYNSET_OP] = NLA_POLICY_MAX(NLA_BE32, 255),
152
152
[NFTA_DYNSET_SREG_KEY] = { .type = NLA_U32 },
153
153
[NFTA_DYNSET_SREG_DATA] = { .type = NLA_U32 },
154
154
[NFTA_DYNSET_TIMEOUT] = { .type = NLA_U64 },
+2
-2
net/netfilter/nft_exthdr.c
+2
-2
net/netfilter/nft_exthdr.c
···
487
487
[NFTA_EXTHDR_DREG] = { .type = NLA_U32 },
488
488
[NFTA_EXTHDR_TYPE] = { .type = NLA_U8 },
489
489
[NFTA_EXTHDR_OFFSET] = { .type = NLA_U32 },
490
-
[NFTA_EXTHDR_LEN] = { .type = NLA_U32 },
490
+
[NFTA_EXTHDR_LEN] = NLA_POLICY_MAX(NLA_BE32, 255),
491
491
[NFTA_EXTHDR_FLAGS] = { .type = NLA_U32 },
492
-
[NFTA_EXTHDR_OP] = { .type = NLA_U32 },
492
+
[NFTA_EXTHDR_OP] = NLA_POLICY_MAX(NLA_BE32, 255),
493
493
[NFTA_EXTHDR_SREG] = { .type = NLA_U32 },
494
494
};
495
495
+1
-1
net/netfilter/nft_fwd_netdev.c
+1
-1
net/netfilter/nft_fwd_netdev.c
···
40
40
static const struct nla_policy nft_fwd_netdev_policy[NFTA_FWD_MAX + 1] = {
41
41
[NFTA_FWD_SREG_DEV] = { .type = NLA_U32 },
42
42
[NFTA_FWD_SREG_ADDR] = { .type = NLA_U32 },
43
-
[NFTA_FWD_NFPROTO] = { .type = NLA_U32 },
43
+
[NFTA_FWD_NFPROTO] = NLA_POLICY_MAX(NLA_BE32, 255),
44
44
};
45
45
46
46
static int nft_fwd_netdev_init(const struct nft_ctx *ctx,
+1
-1
net/netfilter/nft_hash.c
+1
-1
net/netfilter/nft_hash.c
···
59
59
static const struct nla_policy nft_hash_policy[NFTA_HASH_MAX + 1] = {
60
60
[NFTA_HASH_SREG] = { .type = NLA_U32 },
61
61
[NFTA_HASH_DREG] = { .type = NLA_U32 },
62
-
[NFTA_HASH_LEN] = { .type = NLA_U32 },
62
+
[NFTA_HASH_LEN] = NLA_POLICY_MAX(NLA_BE32, 255),
63
63
[NFTA_HASH_MODULUS] = { .type = NLA_U32 },
64
64
[NFTA_HASH_SEED] = { .type = NLA_U32 },
65
65
[NFTA_HASH_OFFSET] = { .type = NLA_U32 },
+1
-1
net/netfilter/nft_meta.c
+1
-1
net/netfilter/nft_meta.c
···
458
458
459
459
const struct nla_policy nft_meta_policy[NFTA_META_MAX + 1] = {
460
460
[NFTA_META_DREG] = { .type = NLA_U32 },
461
-
[NFTA_META_KEY] = { .type = NLA_U32 },
461
+
[NFTA_META_KEY] = NLA_POLICY_MAX(NLA_BE32, 255),
462
462
[NFTA_META_SREG] = { .type = NLA_U32 },
463
463
};
464
464
EXPORT_SYMBOL_GPL(nft_meta_policy);
+1
-1
net/netfilter/nft_range.c
+1
-1
net/netfilter/nft_range.c
···
42
42
43
43
static const struct nla_policy nft_range_policy[NFTA_RANGE_MAX + 1] = {
44
44
[NFTA_RANGE_SREG] = { .type = NLA_U32 },
45
-
[NFTA_RANGE_OP] = { .type = NLA_U32 },
45
+
[NFTA_RANGE_OP] = NLA_POLICY_MAX(NLA_BE32, 255),
46
46
[NFTA_RANGE_FROM_DATA] = { .type = NLA_NESTED },
47
47
[NFTA_RANGE_TO_DATA] = { .type = NLA_NESTED },
48
48
};
+1
-1
net/netfilter/nft_reject.c
+1
-1
net/netfilter/nft_reject.c
···
18
18
#include <linux/icmpv6.h>
19
19
20
20
const struct nla_policy nft_reject_policy[NFTA_REJECT_MAX + 1] = {
21
-
[NFTA_REJECT_TYPE] = { .type = NLA_U32 },
21
+
[NFTA_REJECT_TYPE] = NLA_POLICY_MAX(NLA_BE32, 255),
22
22
[NFTA_REJECT_ICMP_CODE] = { .type = NLA_U8 },
23
23
};
24
24
EXPORT_SYMBOL_GPL(nft_reject_policy);
+1
-1
net/netfilter/nft_rt.c
+1
-1
net/netfilter/nft_rt.c
···
104
104
105
105
static const struct nla_policy nft_rt_policy[NFTA_RT_MAX + 1] = {
106
106
[NFTA_RT_DREG] = { .type = NLA_U32 },
107
-
[NFTA_RT_KEY] = { .type = NLA_U32 },
107
+
[NFTA_RT_KEY] = NLA_POLICY_MAX(NLA_BE32, 255),
108
108
};
109
109
110
110
static int nft_rt_get_init(const struct nft_ctx *ctx,
+2
-2
net/netfilter/nft_socket.c
+2
-2
net/netfilter/nft_socket.c
···
138
138
}
139
139
140
140
static const struct nla_policy nft_socket_policy[NFTA_SOCKET_MAX + 1] = {
141
-
[NFTA_SOCKET_KEY] = { .type = NLA_U32 },
141
+
[NFTA_SOCKET_KEY] = NLA_POLICY_MAX(NLA_BE32, 255),
142
142
[NFTA_SOCKET_DREG] = { .type = NLA_U32 },
143
-
[NFTA_SOCKET_LEVEL] = { .type = NLA_U32 },
143
+
[NFTA_SOCKET_LEVEL] = NLA_POLICY_MAX(NLA_BE32, 255),
144
144
};
145
145
146
146
static int nft_socket_init(const struct nft_ctx *ctx,
+1
-1
net/netfilter/nft_tproxy.c
+1
-1
net/netfilter/nft_tproxy.c
···
183
183
}
184
184
185
185
static const struct nla_policy nft_tproxy_policy[NFTA_TPROXY_MAX + 1] = {
186
-
[NFTA_TPROXY_FAMILY] = { .type = NLA_U32 },
186
+
[NFTA_TPROXY_FAMILY] = NLA_POLICY_MAX(NLA_BE32, 255),
187
187
[NFTA_TPROXY_REG_ADDR] = { .type = NLA_U32 },
188
188
[NFTA_TPROXY_REG_PORT] = { .type = NLA_U32 },
189
189
};
+2
-2
net/netfilter/nft_tunnel.c
+2
-2
net/netfilter/nft_tunnel.c
···
66
66
}
67
67
68
68
static const struct nla_policy nft_tunnel_policy[NFTA_TUNNEL_MAX + 1] = {
69
-
[NFTA_TUNNEL_KEY] = { .type = NLA_U32 },
69
+
[NFTA_TUNNEL_KEY] = NLA_POLICY_MAX(NLA_BE32, 255),
70
70
[NFTA_TUNNEL_DREG] = { .type = NLA_U32 },
71
-
[NFTA_TUNNEL_MODE] = { .type = NLA_U32 },
71
+
[NFTA_TUNNEL_MODE] = NLA_POLICY_MAX(NLA_BE32, 255),
72
72
};
73
73
74
74
static int nft_tunnel_get_init(const struct nft_ctx *ctx,
+2
-2
net/netfilter/nft_xfrm.c
+2
-2
net/netfilter/nft_xfrm.c
···
16
16
#include <net/xfrm.h>
17
17
18
18
static const struct nla_policy nft_xfrm_policy[NFTA_XFRM_MAX + 1] = {
19
-
[NFTA_XFRM_KEY] = { .type = NLA_U32 },
19
+
[NFTA_XFRM_KEY] = NLA_POLICY_MAX(NLA_BE32, 255),
20
20
[NFTA_XFRM_DIR] = { .type = NLA_U8 },
21
-
[NFTA_XFRM_SPNUM] = { .type = NLA_U32 },
21
+
[NFTA_XFRM_SPNUM] = NLA_POLICY_MAX(NLA_BE32, 255),
22
22
[NFTA_XFRM_DREG] = { .type = NLA_U32 },
23
23
};
24
24