Message ID | 1472394618-5711-1-git-send-email-fgao@ikuai8.com |
---|---|
State | Changes Requested |
Delegated to: | Pablo Neira |
Headers | show |
On Sun, Aug 28, 2016 at 10:30 PM, <fgao@ikuai8.com> wrote: > From: Gao Feng <fgao@ikuai8.com> > > The nf_log_set is an interface function, so it should do the strict sanity > check of parameters. Add one sanity check for pf, it could not exceed > NFPROTO_NUMPROTO, and print error log when pf is invalid. > > Signed-off-by: Gao Feng <fgao@ikuai8.com> > --- > net/netfilter/nf_log.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c > index aa5847a..02ce0b9 100644 > --- a/net/netfilter/nf_log.c > +++ b/net/netfilter/nf_log.c > @@ -43,8 +43,10 @@ void nf_log_set(struct net *net, u_int8_t pf, const struct nf_logger *logger) > { > const struct nf_logger *log; > > - if (pf == NFPROTO_UNSPEC) > + if (pf == NFPROTO_UNSPEC || pf >= NFPROTO_NUMPROTO) { > + pr_err("Wrong pf(%d) for nf log", pf); > return; > + } > > mutex_lock(&nf_log_mutex); > log = nft_log_dereference(net->nf.nf_loggers[pf]); > -- > 1.9.1 > > BTW, another similar interface function "nf_log_register" checks sanity of param "pf". So I think nf_log_set also need to check if param "pf" exceeds the valid range. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sun, Aug 28, 2016 at 10:30:18PM +0800, fgao@ikuai8.com wrote: > From: Gao Feng <fgao@ikuai8.com> > > The nf_log_set is an interface function, so it should do the strict sanity > check of parameters. Add one sanity check for pf, it could not exceed > NFPROTO_NUMPROTO, and print error log when pf is invalid. > > Signed-off-by: Gao Feng <fgao@ikuai8.com> > --- > net/netfilter/nf_log.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c > index aa5847a..02ce0b9 100644 > --- a/net/netfilter/nf_log.c > +++ b/net/netfilter/nf_log.c > @@ -43,8 +43,10 @@ void nf_log_set(struct net *net, u_int8_t pf, const struct nf_logger *logger) > { > const struct nf_logger *log; > > - if (pf == NFPROTO_UNSPEC) > + if (pf == NFPROTO_UNSPEC || pf >= NFPROTO_NUMPROTO) { > + pr_err("Wrong pf(%d) for nf log", pf); > return; I'd suggest you change this function nf_log_set() to: int nf_log_set(struct net *net, ...) And update the callsites. Then, you can simply return -EOPNOTSUPP instead and remove that pr_err() message. This message is very unlikely to be displayed. Thanks! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c index aa5847a..02ce0b9 100644 --- a/net/netfilter/nf_log.c +++ b/net/netfilter/nf_log.c @@ -43,8 +43,10 @@ void nf_log_set(struct net *net, u_int8_t pf, const struct nf_logger *logger) { const struct nf_logger *log; - if (pf == NFPROTO_UNSPEC) + if (pf == NFPROTO_UNSPEC || pf >= NFPROTO_NUMPROTO) { + pr_err("Wrong pf(%d) for nf log", pf); return; + } mutex_lock(&nf_log_mutex); log = nft_log_dereference(net->nf.nf_loggers[pf]);