| Message ID | 20231215215350.17691-7-phil@nwl.cc |
|---|---|
| State | Accepted |
| Headers | show |
| Series | Attribute policies for expressions | expand |
diff --git a/src/expr.c b/src/expr.c index 74d211bcaa123..4e32189c6e8d0 100644 --- a/src/expr.c +++ b/src/expr.c @@ -74,6 +74,13 @@ int nftnl_expr_set(struct nftnl_expr *expr, uint16_t type, if (type < NFTNL_EXPR_BASE || type > expr->ops->nftnl_max_attr) return -1; + if (!expr->ops->attr_policy) + return -1; + + if (expr->ops->attr_policy[type].maxlen && + expr->ops->attr_policy[type].maxlen < data_len) + return -1; + if (expr->ops->set(expr, type, data, data_len) < 0) return -1; }
Every expression type defines an attr_policy array, so deny setting attributes if not present. Also deny if maxlen field is non-zero and lower than the given data_len. Some attributes' max length is not fixed (e.g. NFTNL_EXPR_{TG,MT}_INFO ) or is not sensible to check (e.g. NFTNL_EXPR_DYNSET_EXPR). The zero maxlen "nop" is also used for deprecated attributes, just to not silently ignore them. Signed-off-by: Phil Sutter <phil@nwl.cc> --- src/expr.c | 7 +++++++ 1 file changed, 7 insertions(+)