[nf,1/5] netfilter: nfnl_cthelper: don't report error if NFCTH_PRIV_DATA_LEN is empty

Message ID 1489934162-7415-2-git-send-email-zlpnobody@163.com
State Changes Requested
Delegated to: Pablo Neira
Headers show

Commit Message

Liping Zhang March 19, 2017, 2:35 p.m.
From: Liping Zhang <zlpnobody@gmail.com>

Currently, when we create cthelper via nfnetlink, -EINVAL will be
returned if the NFCTH_PRIV_DATA_LEN attribute is empty.

But enforcing the user to specify the NFCTH_PRIV_DATA_LEN attr seems
unnecessary, so it's better to set the helper->data_len to zero if
the NFCTH_PRIV_DATA_LEN attribute is empty.

Found by running example program from libnetfilter_cthelper:
  # ./libnetfilter_cthelper/examples/nfct-helper-add test 1
  error: Invalid argument

Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
---
 net/netfilter/nfnetlink_cthelper.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Comments

Pablo Neira Ayuso March 21, 2017, 10:18 a.m. | #1
On Sun, Mar 19, 2017 at 10:35:58PM +0800, Liping Zhang wrote:
> From: Liping Zhang <zlpnobody@gmail.com>
> 
> Currently, when we create cthelper via nfnetlink, -EINVAL will be
> returned if the NFCTH_PRIV_DATA_LEN attribute is empty.
> 
> But enforcing the user to specify the NFCTH_PRIV_DATA_LEN attr seems
> unnecessary, so it's better to set the helper->data_len to zero if
> the NFCTH_PRIV_DATA_LEN attribute is empty.
> 
> Found by running example program from libnetfilter_cthelper:
>   # ./libnetfilter_cthelper/examples/nfct-helper-add test 1
>   error: Invalid argument

I suggest you fix this userspace example instead, we should always
send NFCTH_PRIV_DATA_LEN. This is integral part of the helper
description.

NFCTH_ATTR_PRIV_DATA_LEN has been always set from the conntrack-tools,
so most likely this example just got outdated at some point of the
development and nobody noticed so far.

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Liping Zhang March 21, 2017, 2:26 p.m. | #2
Hi Pablo,

2017-03-21 18:18 GMT+08:00 Pablo Neira Ayuso <pablo@netfilter.org>:
> On Sun, Mar 19, 2017 at 10:35:58PM +0800, Liping Zhang wrote:
>> From: Liping Zhang <zlpnobody@gmail.com>
>>
>> Currently, when we create cthelper via nfnetlink, -EINVAL will be
>> returned if the NFCTH_PRIV_DATA_LEN attribute is empty.
>>
>> But enforcing the user to specify the NFCTH_PRIV_DATA_LEN attr seems
>> unnecessary, so it's better to set the helper->data_len to zero if
>> the NFCTH_PRIV_DATA_LEN attribute is empty.
>>
>> Found by running example program from libnetfilter_cthelper:
>>   # ./libnetfilter_cthelper/examples/nfct-helper-add test 1
>>   error: Invalid argument
>
> I suggest you fix this userspace example instead, we should always
> send NFCTH_PRIV_DATA_LEN. This is integral part of the helper
> description.
>
> NFCTH_ATTR_PRIV_DATA_LEN has been always set from the conntrack-tools,
> so most likely this example just got outdated at some point of the
> development and nobody noticed so far.

OK, get it. I will send a patch to fix the example codes.

>
> Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
index 2defe73..9c24301 100644
--- a/net/netfilter/nfnetlink_cthelper.c
+++ b/net/netfilter/nfnetlink_cthelper.c
@@ -205,7 +205,7 @@  nfnl_cthelper_create(const struct nlattr * const tb[],
 	struct nf_conntrack_helper *helper;
 	int ret;
 
-	if (!tb[NFCTH_TUPLE] || !tb[NFCTH_POLICY] || !tb[NFCTH_PRIV_DATA_LEN])
+	if (!tb[NFCTH_TUPLE] || !tb[NFCTH_POLICY])
 		return -EINVAL;
 
 	helper = kzalloc(sizeof(struct nf_conntrack_helper), GFP_KERNEL);
@@ -217,7 +217,8 @@  nfnl_cthelper_create(const struct nlattr * const tb[],
 		goto err1;
 
 	strncpy(helper->name, nla_data(tb[NFCTH_NAME]), NF_CT_HELPER_NAME_LEN);
-	helper->data_len = ntohl(nla_get_be32(tb[NFCTH_PRIV_DATA_LEN]));
+	if (tb[NFCTH_PRIV_DATA_LEN])
+		helper->data_len = ntohl(nla_get_be32(tb[NFCTH_PRIV_DATA_LEN]));
 	helper->flags |= NF_CT_HELPER_F_USERSPACE;
 	memcpy(&helper->tuple, tuple, sizeof(struct nf_conntrack_tuple));