[nf-next,2/4] netfilter: add BUILD_BUG_ON asserts for hook array sizes

Message ID 20171113164107.11259-3-fw@strlen.de
State Under Review
Delegated to: Pablo Neira
Headers show
Series
  • netfilter: reduce hook sizes in struct net
Related show

Commit Message

Florian Westphal Nov. 13, 2017, 4:41 p.m.
Check that the array hooks are not accessed out-of-bounds.
Next patch will then reduce their sizes to reflect the number
of hooks implemented for each family.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 include/linux/netfilter.h | 5 +++++
 1 file changed, 5 insertions(+)

Patch

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 80aa9a0b3d10..2e9896d42f96 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -197,18 +197,23 @@  static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net,
 	rcu_read_lock();
 	switch (pf) {
 	case NFPROTO_IPV4:
+		BUILD_BUG_ON(hook >= ARRAY_SIZE(net->nf.hooks_ipv4));
 		hook_head = rcu_dereference(net->nf.hooks_ipv4[hook]);
 		break;
 	case NFPROTO_IPV6:
+		BUILD_BUG_ON(hook >= ARRAY_SIZE(net->nf.hooks_ipv6));
 		hook_head = rcu_dereference(net->nf.hooks_ipv6[hook]);
 		break;
 	case NFPROTO_ARP:
+		BUILD_BUG_ON(hook >= ARRAY_SIZE(net->nf.hooks_arp));
 		hook_head = rcu_dereference(net->nf.hooks_arp[hook]);
 		break;
 	case NFPROTO_BRIDGE:
+		BUILD_BUG_ON(hook >= ARRAY_SIZE(net->nf.hooks_bridge));
 		hook_head = rcu_dereference(net->nf.hooks_bridge[hook]);
 		break;
 	case NFPROTO_DECNET:
+		BUILD_BUG_ON(hook >= ARRAY_SIZE(net->nf.hooks_decnet));
 		hook_head = rcu_dereference(net->nf.hooks_decnet[hook]);
 		break;
 	default: