tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: helper: add build-time asserts for helper data size

add a 32 byte scratch area in the helper struct instead of relying
on variable sized helpers plus compile-time asserts to let us know
if 32 bytes aren't enough anymore.

Not having variable sized helpers will later allow to add BUILD_BUG_ON
for the total size of conntrack extensions -- the helper extension is
the only one that doesn't have a fixed size.

The (useless!) NF_CT_HELPER_BUILD_BUG_ON(0); are added so that in case
someone adds a new helper and copy-pastes from one that doesn't store
private data at least some indication that this macro should be used
somehow is there...

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Florian Westphal and committed by
Pablo Neira Ayuso dcf67740 906535b0

+20 -1
+4 -1
include/net/netfilter/nf_conntrack_helper.h
··· 66 66 u8 expecting[NF_CT_MAX_EXPECT_CLASSES]; 67 67 68 68 /* private helper information. */ 69 - char data[]; 69 + char data[32] __aligned(8); 70 70 }; 71 + 72 + #define NF_CT_HELPER_BUILD_BUG_ON(structsize) \ 73 + BUILD_BUG_ON((structsize) > FIELD_SIZEOF(struct nf_conn_help, data)) 71 74 72 75 struct nf_conntrack_helper *__nf_conntrack_helper_find(const char *name, 73 76 u16 l3num, u8 protonum);
+2
net/netfilter/nf_conntrack_amanda.c
··· 207 207 { 208 208 int ret, i; 209 209 210 + NF_CT_HELPER_BUILD_BUG_ON(0); 211 + 210 212 for (i = 0; i < ARRAY_SIZE(search); i++) { 211 213 search[i].ts = textsearch_prepare(ts_algo, search[i].string, 212 214 search[i].len,
+2
net/netfilter/nf_conntrack_ftp.c
··· 577 577 { 578 578 int i, ret = 0; 579 579 580 + NF_CT_HELPER_BUILD_BUG_ON(sizeof(struct nf_ct_ftp_master)); 581 + 580 582 ftp_buffer = kmalloc(65536, GFP_KERNEL); 581 583 if (!ftp_buffer) 582 584 return -ENOMEM;
+2
net/netfilter/nf_conntrack_h323_main.c
··· 1836 1836 { 1837 1837 int ret; 1838 1838 1839 + NF_CT_HELPER_BUILD_BUG_ON(sizeof(struct nf_ct_h323_master)); 1840 + 1839 1841 h323_buffer = kmalloc(65536, GFP_KERNEL); 1840 1842 if (!h323_buffer) 1841 1843 return -ENOMEM;
+2
net/netfilter/nf_conntrack_netbios_ns.c
··· 58 58 59 59 static int __init nf_conntrack_netbios_ns_init(void) 60 60 { 61 + NF_CT_HELPER_BUILD_BUG_ON(0); 62 + 61 63 exp_policy.timeout = timeout; 62 64 return nf_conntrack_helper_register(&helper); 63 65 }
+2
net/netfilter/nf_conntrack_pptp.c
··· 607 607 608 608 static int __init nf_conntrack_pptp_init(void) 609 609 { 610 + NF_CT_HELPER_BUILD_BUG_ON(sizeof(struct nf_ct_pptp_master)); 611 + 610 612 return nf_conntrack_helper_register(&pptp); 611 613 } 612 614
+2
net/netfilter/nf_conntrack_sane.c
··· 184 184 { 185 185 int i, ret = 0; 186 186 187 + NF_CT_HELPER_BUILD_BUG_ON(sizeof(struct nf_ct_sane_master)); 188 + 187 189 sane_buffer = kmalloc(65536, GFP_KERNEL); 188 190 if (!sane_buffer) 189 191 return -ENOMEM;
+2
net/netfilter/nf_conntrack_sip.c
··· 1622 1622 { 1623 1623 int i, ret; 1624 1624 1625 + NF_CT_HELPER_BUILD_BUG_ON(sizeof(struct nf_ct_sip_master)); 1626 + 1625 1627 if (ports_c == 0) 1626 1628 ports[ports_c++] = SIP_PORT; 1627 1629
+2
net/netfilter/nf_conntrack_tftp.c
··· 113 113 { 114 114 int i, ret; 115 115 116 + NF_CT_HELPER_BUILD_BUG_ON(0); 117 + 116 118 if (ports_c == 0) 117 119 ports[ports_c++] = TFTP_PORT; 118 120