From patchwork Sat Oct  5 16:33:15 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Phil Oester <kernel@linuxace.com>
X-Patchwork-Id: 280775
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id DAAD52C0090
	for <incoming@patchwork.ozlabs.org>;
	Sun,  6 Oct 2013 03:33:20 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752084Ab3JEQdT (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Sat, 5 Oct 2013 12:33:19 -0400
Received: from mail-pb0-f46.google.com ([209.85.160.46]:61082 "EHLO
	mail-pb0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752016Ab3JEQdS (ORCPT
	<rfc822;netfilter-devel@vger.kernel.org>);
	Sat, 5 Oct 2013 12:33:18 -0400
Received: by mail-pb0-f46.google.com with SMTP id rq2so5302763pbb.33
	for <netfilter-devel@vger.kernel.org>;
	Sat, 05 Oct 2013 09:33:18 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version
	:content-type:content-disposition:user-agent;
	bh=xhfL6pGu81u3nPbwEah8UeMx6YaNVf62zLILorenbCs=;
	b=Xego9jN1ClLsEZnSh+rfg2zEeyi/CBDJ/wTpMDv1zWK3RS+cSf02LwuB2QQyF4RJf/
	EbxG3ikpeeT9FjFKRDCYWPNe52J6DJZkLSkNyiZ3PlbsB4vwu1XkS90ZFOLbvMNIKetl
	Zyawqb/bDetIm6Xkcw81qJIwLdWxKDU7qCoPxJP3oHtpcrqXY8+WBHkXD9pwcwaogSrS
	wQgvyfiDBa3iQKowouU2rqT1tSRA2y5gyg8ysh879Ch8DJNqtsbd5P60yqKyDgDu1VYx
	OgK/O4AWkw5QyzjLoSplJrmd1vppzO7qzLujfDlf1NDdq/xlyBJjfxgwgrgpk0lLtyU0
	/1ow==
X-Gm-Message-State: 
 ALoCoQmdD56Slnl8ciTNssd/wmjRO/OaIp+eJvVdiOHwZMsb2OtSMZWvE2tB2bhdEBnuvyQqUejQ
X-Received: by 10.68.194.130 with SMTP id hw2mr12909120pbc.114.1380990797903;
	Sat, 05 Oct 2013 09:33:17 -0700 (PDT)
Received: from home (cpe-98-154-84-14.socal.res.rr.com. [98.154.84.14])
	by mx.google.com with ESMTPSA id
	ct4sm22071751pbb.41.1969.12.31.16.00.00
	(version=TLSv1 cipher=RC4-SHA bits=128/128);
	Sat, 05 Oct 2013 09:33:17 -0700 (PDT)
Date: Sat, 5 Oct 2013 09:33:15 -0700
From: Phil Oester <kernel@linuxace.com>
To: netfilter-devel@vger.kernel.org
Cc: pablo@netfilter.org
Subject: [PATCH] iptables: improve chain name validation
Message-ID: <20131005163315.GA16881@home>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

As pointed out by Andrew Domaszek, iptables allows whitespace to be included in
chain names.  This causes issues with iptables-restore, and later iptables
actions on the chain.  Attached patch disallows whitespace, and also consolidates
all chain name checking into a new function.

This closes netfilter bugzilla #855.

Signed-off-by: Phil Oester <kernel@linuxace.com>

diff --git a/iptables/iptables.c b/iptables/iptables.c
index d3899bc..5cd2596 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -373,6 +373,32 @@ parse_rulenumber(const char *rule)
 	return rulenum;
 }
 
+static void
+parse_chain(const char *chainname)
+{
+	const char *ptr;
+
+	if (strlen(chainname) >= XT_EXTENSION_MAXNAMELEN)
+		xtables_error(PARAMETER_PROBLEM,
+			   "chain name `%s' too long (must be under %u chars)",
+			   chainname, XT_EXTENSION_MAXNAMELEN);
+
+	if (*chainname == '-' || *chainname == '!')
+		xtables_error(PARAMETER_PROBLEM,
+			   "chain name not allowed to start "
+			   "with `%c'\n", *chainname);
+
+	if (xtables_find_target(chainname, XTF_TRY_LOAD))
+		xtables_error(PARAMETER_PROBLEM,
+			   "chain name may not clash "
+			   "with target name\n");
+
+	for (ptr = chainname; *ptr; ptr++)
+		if (isspace(*ptr))
+			xtables_error(PARAMETER_PROBLEM,
+				   "Invalid chain name `%s'", chainname);
+}
+
 static const char *
 parse_target(const char *targetname)
 {
@@ -1428,14 +1454,7 @@ int do_command4(int argc, char *argv[], char **table,
 			break;
 
 		case 'N':
-			if (optarg && (*optarg == '-' || *optarg == '!'))
-				xtables_error(PARAMETER_PROBLEM,
-					   "chain name not allowed to start "
-					   "with `%c'\n", *optarg);
-			if (xtables_find_target(optarg, XTF_TRY_LOAD))
-				xtables_error(PARAMETER_PROBLEM,
-					   "chain name may not clash "
-					   "with target name\n");
+			parse_chain(optarg);
 			add_command(&command, CMD_NEW_CHAIN, CMD_NONE,
 				    cs.invert);
 			chain = optarg;
@@ -1729,11 +1748,6 @@ int do_command4(int argc, char *argv[], char **table,
 
 	generic_opt_check(command, cs.options);
 
-	if (chain != NULL && strlen(chain) >= XT_EXTENSION_MAXNAMELEN)
-		xtables_error(PARAMETER_PROBLEM,
-			   "chain name `%s' too long (must be under %u chars)",
-			   chain, XT_EXTENSION_MAXNAMELEN);
-
 	/* Attempt to acquire the xtables lock */
 	if (!restore && !xtables_lock(wait)) {
 		fprintf(stderr, "Another app is currently holding the xtables lock. "