netfilter: nf_tables: validate the name size when possible

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Currently, if the user add a stateful object with the name size exceed
NFT_OBJ_MAXNAMELEN - 1 (i.e. 31), we truncate it down to 31 silently.
This is not friendly, furthermore, this will cause duplicated stateful
objects when the first 31 characters of the name is same. So limit the
stateful object's name size to NFT_OBJ_MAXNAMELEN - 1.

After apply this patch, error message will be printed out like this:
# name_32=$(printf "%0.sQ" {1..32})
# nft add counter filter $name_32
<cmdline>:1:1-52: Error: Could not process rule: Numerical result out
of range
add counter filter QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Also this patch cleans up the codes which missing the name size limit
validation in nftables.

Fixes: e50092404c1b ("netfilter: nf_tables: add stateful objects")
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Liping Zhang and committed by

Pablo Neira Ayuso 9 years ago b2fbd044 e5072053

+22 -11

4 changed files

expand all

net

netfilter

nf_tables_api.c

nft_dynset.c

nft_lookup.c

nft_objref.c

+14 -7

net/netfilter/nf_tables_api.c

··· 928 928 } 929 929 930 930 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = { 931 - [NFTA_CHAIN_TABLE] = { .type = NLA_STRING }, 931 + [NFTA_CHAIN_TABLE] = { .type = NLA_STRING, 932 + .len = NFT_TABLE_MAXNAMELEN - 1 }, 932 933 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 }, 933 934 [NFTA_CHAIN_NAME] = { .type = NLA_STRING, 934 935 .len = NFT_CHAIN_MAXNAMELEN - 1 }, ··· 1855 1854 } 1856 1855 1857 1856 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = { 1858 - [NFTA_RULE_TABLE] = { .type = NLA_STRING }, 1857 + [NFTA_RULE_TABLE] = { .type = NLA_STRING, 1858 + .len = NFT_TABLE_MAXNAMELEN - 1 }, 1859 1859 [NFTA_RULE_CHAIN] = { .type = NLA_STRING, 1860 1860 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 1861 1861 [NFTA_RULE_HANDLE] = { .type = NLA_U64 }, ··· 2445 2443 } 2446 2444 2447 2445 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = { 2448 - [NFTA_SET_TABLE] = { .type = NLA_STRING }, 2446 + [NFTA_SET_TABLE] = { .type = NLA_STRING, 2447 + .len = NFT_TABLE_MAXNAMELEN - 1 }, 2449 2448 [NFTA_SET_NAME] = { .type = NLA_STRING, 2450 2449 .len = NFT_SET_MAXNAMELEN - 1 }, 2451 2450 [NFTA_SET_FLAGS] = { .type = NLA_U32 }, ··· 3195 3192 }; 3196 3193 3197 3194 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = { 3198 - [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING }, 3199 - [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING }, 3195 + [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING, 3196 + .len = NFT_TABLE_MAXNAMELEN - 1 }, 3197 + [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING, 3198 + .len = NFT_SET_MAXNAMELEN - 1 }, 3200 3199 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED }, 3201 3200 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 }, 3202 3201 }; ··· 4037 4032 EXPORT_SYMBOL_GPL(nf_tables_obj_lookup); 4038 4033 4039 4034 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = { 4040 - [NFTA_OBJ_TABLE] = { .type = NLA_STRING }, 4041 - [NFTA_OBJ_NAME] = { .type = NLA_STRING }, 4035 + [NFTA_OBJ_TABLE] = { .type = NLA_STRING, 4036 + .len = NFT_TABLE_MAXNAMELEN - 1 }, 4037 + [NFTA_OBJ_NAME] = { .type = NLA_STRING, 4038 + .len = NFT_OBJ_MAXNAMELEN - 1 }, 4042 4039 [NFTA_OBJ_TYPE] = { .type = NLA_U32 }, 4043 4040 [NFTA_OBJ_DATA] = { .type = NLA_NESTED }, 4044 4041 };

+2 -1

net/netfilter/nft_dynset.c

··· 98 98 } 99 99 100 100 static const struct nla_policy nft_dynset_policy[NFTA_DYNSET_MAX + 1] = { 101 - [NFTA_DYNSET_SET_NAME] = { .type = NLA_STRING }, 101 + [NFTA_DYNSET_SET_NAME] = { .type = NLA_STRING, 102 + .len = NFT_SET_MAXNAMELEN - 1 }, 102 103 [NFTA_DYNSET_SET_ID] = { .type = NLA_U32 }, 103 104 [NFTA_DYNSET_OP] = { .type = NLA_U32 }, 104 105 [NFTA_DYNSET_SREG_KEY] = { .type = NLA_U32 },

+2 -1

net/netfilter/nft_lookup.c

··· 49 49 } 50 50 51 51 static const struct nla_policy nft_lookup_policy[NFTA_LOOKUP_MAX + 1] = { 52 - [NFTA_LOOKUP_SET] = { .type = NLA_STRING }, 52 + [NFTA_LOOKUP_SET] = { .type = NLA_STRING, 53 + .len = NFT_SET_MAXNAMELEN - 1 }, 53 54 [NFTA_LOOKUP_SET_ID] = { .type = NLA_U32 }, 54 55 [NFTA_LOOKUP_SREG] = { .type = NLA_U32 }, 55 56 [NFTA_LOOKUP_DREG] = { .type = NLA_U32 },

+4 -2

net/netfilter/nft_objref.c

··· 193 193 } 194 194 195 195 static const struct nla_policy nft_objref_policy[NFTA_OBJREF_MAX + 1] = { 196 - [NFTA_OBJREF_IMM_NAME] = { .type = NLA_STRING }, 196 + [NFTA_OBJREF_IMM_NAME] = { .type = NLA_STRING, 197 + .len = NFT_OBJ_MAXNAMELEN - 1 }, 197 198 [NFTA_OBJREF_IMM_TYPE] = { .type = NLA_U32 }, 198 199 [NFTA_OBJREF_SET_SREG] = { .type = NLA_U32 }, 199 - [NFTA_OBJREF_SET_NAME] = { .type = NLA_STRING }, 200 + [NFTA_OBJREF_SET_NAME] = { .type = NLA_STRING, 201 + .len = NFT_SET_MAXNAMELEN - 1 }, 200 202 [NFTA_OBJREF_SET_ID] = { .type = NLA_U32 }, 201 203 }; 202 204