From patchwork Mon May 14 16:04:10 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Alban Crequy <alban.crequy@collabora.co.uk>
X-Patchwork-Id: 159054
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 7C606B7042
	for <incoming@patchwork.ozlabs.org>;
	Tue, 15 May 2012 02:04:14 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756038Ab2ENQEK (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Mon, 14 May 2012 12:04:10 -0400
Received: from bhuna.collabora.co.uk ([93.93.135.160]:48949 "EHLO
	bhuna.collabora.co.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753686Ab2ENQEJ convert rfc822-to-8bit (ORCPT
	<rfc822;netfilter-devel@vger.kernel.org>);
	Mon, 14 May 2012 12:04:09 -0400
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(Authenticated sender: alban) with ESMTPSA id A81DB604213
Date: Mon, 14 May 2012 17:04:10 +0100
From: Alban Crequy <alban.crequy@collabora.co.uk>
To: Alban Crequy <alban.crequy@collabora.co.uk>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
	Patrick McHardy <kaber@trash.net>,
	Vincent Sanders <vincent.sanders@collabora.co.uk>,
	Javier Martinez Canillas <javier.martinez@collabora.co.uk>,
	netfilter-devel@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH v2 1/6] netfilter: sanity checks on NFPROTO_NUMPROTO
Message-ID: <20120514170410.6c2f1c5b@rainbow.cbg.collabora.co.uk>
In-Reply-To: <20120514163949.37e614f4@rainbow.cbg.collabora.co.uk>
References: <1337003799-2517-1-git-send-email-alban.crequy@collabora.co.uk>
	<20120514144235.GE12992@1984>
	<20120514163949.37e614f4@rainbow.cbg.collabora.co.uk>
Organization: Collabora
X-Mailer: Claws Mail 3.8.0 (GTK+ 2.24.10; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

Le Mon, 14 May 2012 16:39:49 +0100,
Alban Crequy <alban.crequy@collabora.co.uk> a écrit :

> Le Mon, 14 May 2012 16:42:35 +0200,
> Pablo Neira Ayuso <pablo@netfilter.org> a écrit :
> 
> > On Mon, May 14, 2012 at 02:56:34PM +0100, Alban Crequy wrote:
> > > With the NFPROTO_* constants introduced by commit 7e9c6e
> > > ("netfilter: Introduce NFPROTO_* constants"), it is too easy to
> > > confuse PF_* and NFPROTO_* constants in new protocols.
> > > 
> > > Signed-off-by: Alban Crequy <alban.crequy@collabora.co.uk>
> > > Reviewed-by: Javier Martinez Canillas
> > > <javier.martinez@collabora.co.uk> Reviewed-by: Vincent Sanders
> > > <vincent.sanders@collabora.co.uk> ---
> > >  net/netfilter/core.c |    5 +++++
> > >  1 files changed, 5 insertions(+), 0 deletions(-)
> > > 
> > > diff --git a/net/netfilter/core.c b/net/netfilter/core.c
> > > index e1b7e05..4f16552 100644
> > > --- a/net/netfilter/core.c
> > > +++ b/net/netfilter/core.c
> > > @@ -67,6 +67,11 @@ int nf_register_hook(struct nf_hook_ops *reg)
> > >  	struct nf_hook_ops *elem;
> > >  	int err;
> > >  
> > > +	if (reg->pf >= NFPROTO_NUMPROTO || reg->hooknum >=
> > > NF_MAX_HOOKS) {
> > > +		BUG();
> > > +		return 1;
> > 
> > nf_register_hook returns a negative value on error. -EINVAL can be
> > fine.
> 
> Is it the patch you mean? Do you want me to do a series repost?

Please disregard the previous patch, this is the correct one.


From: Alban Crequy <alban.crequy@collabora.co.uk>

netfilter: sanity checks on NFPROTO_NUMPROTO

With the NFPROTO_* constants introduced by commit 7e9c6e ("netfilter: Introduce
NFPROTO_* constants"), it is too easy to confuse PF_* and NFPROTO_* constants
in new protocols.

Signed-off-by: Alban Crequy <alban.crequy@collabora.co.uk>
---
 net/netfilter/core.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index e1b7e05..7422989 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -67,6 +67,14 @@ int nf_register_hook(struct nf_hook_ops *reg)
 	struct nf_hook_ops *elem;
 	int err;
 
+	if (reg->pf >= NFPROTO_NUMPROTO || reg->hooknum >= NF_MAX_HOOKS) {
+		WARN(reg->pf >= NFPROTO_NUMPROTO,
+		     "netfilter: Invalid nfproto %d\n", reg->pf);
+		WARN(reg->hooknum >= NF_MAX_HOOKS,
+		     "netfilter: Invalid hooknum %d\n", reg->hooknum);
+		return -EINVAL;
+	}
+
 	err = mutex_lock_interruptible(&nf_hook_mutex);
 	if (err < 0)
 		return err;