[26/47] netfilter: nfnetlink_cthelper: Remove VLA usage

Message ID	20180330114334.18664-7-pablo@netfilter.org
State	Accepted, archived
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> sender: pneira@us.es) by entrada.int (Postfix) with ESMTPA id 190D44265A2F; Fri, 30 Mar 2018 13:43:40 +0200 (CEST) From: Pablo Neira Ayuso <pablo@netfilter.org> To: netfilter-devel@vger.kernel.org Cc: davem@davemloft.net, netdev@vger.kernel.org Subject: [PATCH 26/47] netfilter: nfnetlink_cthelper: Remove VLA usage Date: Fri, 30 Mar 2018 13:43:13 +0200 Message-Id: <20180330114334.18664-7-pablo@netfilter.org> In-Reply-To: <20180330114334.18664-1-pablo@netfilter.org> References: <20180330114334.18664-1-pablo@netfilter.org> Sender: netdev-owner@vger.kernel.org Precedence: bulk
Series	[01/47] netfilter: nf_tables: nf_tables_obj_lookup_byhandle() can be static \| expand [01/47] netfilter: nf_tables: nf_tables_obj_lookup_byhandle() can be static [02/47] netfilter: nfnetlink_acct: remove useless parameter [03/47] netfilter: xt_cluster: get rid of xt_cluster_ipv6_is_multicast [04/47] netfilter: nf_conntrack_broadcast: remove useless parameter [05/47] netfilter: ipt_ah: return boolean instead of integer [06/47] netfilter: unlock xt_table earlier in __do_replace [07/47] netfilter: x_tables: check standard verdicts in core [08/47] netfilter: x_tables: check error target size too [09/47] netfilter: x_tables: move hook entry checks into core [10/47] netfilter: x_tables: enforce unique and ascending entry points [11/47] netfilter: x_tables: cap allocations at 512 mbyte [12/47] netfilter: x_tables: limit allocation requests for blob rule heads [13/47] netfilter: x_tables: add counters allocation wrapper [14/47] netfilter: compat: prepare xt_compat_init_offsets to return errors [15/47] netfilter: compat: reject huge allocation requests [16/47] netfilter: x_tables: make sure compat af mutex is held [17/47] netfilter: x_tables: ensure last rule in base chain matches underflow/policy [18/47] netfilter: make xt_rateest hash table per net [19/47] netfilter: xt_limit: Spelling s/maxmum/maximum/ [20/47] netfilter: x_tables: fix build with CONFIG_COMPAT=n [21/47] ipvs: use true and false for boolean values [22/47] netfilter: Refactor nf_conncount [23/47] netfilter: conncount: Support count only use case [24/47] netfilter: nft_ct: add NFT_CT_{SRC,DST}_{IP,IP6} [25/47] netfilter: cttimeout: remove VLA usage [26/47] netfilter: nfnetlink_cthelper: Remove VLA usage [27/47] netfilter: nf_tables: remove VLA usage [28/47] netfilter: ebtables: use ADD_COUNTER macro [29/47] netfilter: xt_conntrack: Support bit-shifting for CONNMARK & MARK targets. [30/47] netfilter: Replace printk() with pr_*() and define pr_fmt() [31/47] netfilter: ctnetlink: synproxy support [32/47] netfilter: ebtables: add support for matching ICMP type and code [33/47] netfilter: ebtables: add support for matching IGMP type [34/47] netfilter: ebtables: Add support for specifying match revision [35/47] netfilter: ebtables: Add string filter [36/47] netfilter: add flowtable documentation [37/47] netfilter: ebt_stp: Use generic functions for comparisons [38/47] netfilter: nf_tables: rename struct nf_chain_type [39/47] netfilter: nf_tables: nft_register_chain_type() returns void [40/47] netfilter: nf_tables: build-in filter chain type [41/47] netfilter: nf_tables: enable conntrack if NAT chain is registered [42/47] netfilter: nf_tables: rename to nft_set_lookup_global() [43/47] netfilter: nf_tables: use nft_set_lookup_global from nf_tables_newsetelem() [44/47] netfilter: Merge assignment with return [45/47] netfilter: x_tables: Add note about how to free percpu counters [46/47] Revert "netfilter: x_tables: ensure last rule in base chain matches underflow/policy" [47/47] netfilter: ipset: Use is_zero_ether_addr instead of static and memcmp

Message ID

20180330114334.18664-7-pablo@netfilter.org

State

Accepted, archived

Delegated to:

David Miller

Headers

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 26/47] netfilter: nfnetlink_cthelper: Remove VLA usage
Date: Fri, 30 Mar 2018 13:43:13 +0200
Message-Id: <20180330114334.18664-7-pablo@netfilter.org>
In-Reply-To: <20180330114334.18664-1-pablo@netfilter.org>
References: <20180330114334.18664-1-pablo@netfilter.org>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Series

[01/47] netfilter: nf_tables: nf_tables_obj_lookup_byhandle() can be static | expand

Commit Message

Pablo Neira Ayuso March 30, 2018, 11:43 a.m. UTC

From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>

In preparation to enabling -Wvla, remove VLA and replace it
with dynamic memory allocation.

>From a security viewpoint, the use of Variable Length Arrays can be
a vector for stack overflow attacks. Also, in general, as the code
evolves it is easy to lose track of how big a VLA can get. Thus, we
can end up having segfaults that are hard to debug.

Also, fixed as part of the directive to remove all VLAs from
the kernel: https://lkml.org/lkml/2018/3/7/621

Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nfnetlink_cthelper.c | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
index d33ce6d5ebce..4a4b293fb2e5 100644
--- a/net/netfilter/nfnetlink_cthelper.c
+++ b/net/netfilter/nfnetlink_cthelper.c
@@ -314,23 +314,30 @@  nfnl_cthelper_update_policy_one(const struct nf_conntrack_expect_policy *policy,
 static int nfnl_cthelper_update_policy_all(struct nlattr *tb[],
 					   struct nf_conntrack_helper *helper)
 {
-	struct nf_conntrack_expect_policy new_policy[helper->expect_class_max + 1];
+	struct nf_conntrack_expect_policy *new_policy;
 	struct nf_conntrack_expect_policy *policy;
-	int i, err;
+	int i, ret = 0;
+
+	new_policy = kmalloc_array(helper->expect_class_max + 1,
+				   sizeof(*new_policy), GFP_KERNEL);
+	if (!new_policy)
+		return -ENOMEM;
 
 	/* Check first that all policy attributes are well-formed, so we don't
 	 * leave things in inconsistent state on errors.
 	 */
 	for (i = 0; i < helper->expect_class_max + 1; i++) {
 
-		if (!tb[NFCTH_POLICY_SET + i])
-			return -EINVAL;
+		if (!tb[NFCTH_POLICY_SET + i]) {
+			ret = -EINVAL;
+			goto err;
+		}
 
-		err = nfnl_cthelper_update_policy_one(&helper->expect_policy[i],
+		ret = nfnl_cthelper_update_policy_one(&helper->expect_policy[i],
 						      &new_policy[i],
 						      tb[NFCTH_POLICY_SET + i]);
-		if (err < 0)
-			return err;
+		if (ret < 0)
+			goto err;
 	}
 	/* Now we can safely update them. */
 	for (i = 0; i < helper->expect_class_max + 1; i++) {
@@ -340,7 +347,9 @@  static int nfnl_cthelper_update_policy_all(struct nlattr *tb[],
 		policy->timeout	= new_policy->timeout;
 	}
 
-	return 0;
+err:
+	kfree(new_policy);
+	return ret;
 }
 
 static int nfnl_cthelper_update_policy(struct nf_conntrack_helper *helper,

[26/47] netfilter: nfnetlink_cthelper: Remove VLA usage

Commit Message

Patch