[nft,v2] Reject invalid chain priority values in user space

Message ID	20230310112348.32373-1-phil@nwl.cc
State	Accepted
Delegated to:	Pablo Neira
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> From: Phil Sutter <phil@nwl.cc> To: Pablo Neira Ayuso <pablo@netfilter.org> Cc: netfilter-devel@vger.kernel.org Subject: [nft PATCH v2] Reject invalid chain priority values in user space Date: Fri, 10 Mar 2023 12:23:48 +0100 Message-Id: <20230310112348.32373-1-phil@nwl.cc> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	[nft,v2] Reject invalid chain priority values in user space \| expand [nft,v2] Reject invalid chain priority values in user space

Message ID

20230310112348.32373-1-phil@nwl.cc

State

Accepted

Delegated to:

Pablo Neira

Headers

From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: [nft PATCH v2] Reject invalid chain priority values in user space
Date: Fri, 10 Mar 2023 12:23:48 +0100
Message-Id: <20230310112348.32373-1-phil@nwl.cc>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

[nft,v2] Reject invalid chain priority values in user space | expand

Commit Message

Phil Sutter March 10, 2023, 11:23 a.m. UTC

The kernel doesn't accept nat type chains with a priority of -200 or
below. Catch this and provide a better error message than the kernel's
EOPNOTSUPP.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
Changes since v1:
- Pull mpz_export_data() call out of the conditional.
- Check priority value before calling strcmp(), it's less expensive.
- Reword the error message as suggested.
---
 src/evaluate.c | 9 +++++++++
 1 file changed, 9 insertions(+)

Comments

Pablo Neira Ayuso March 10, 2023, 11:44 a.m. UTC | #1

On Fri, Mar 10, 2023 at 12:23:48PM +0100, Phil Sutter wrote:
> The kernel doesn't accept nat type chains with a priority of -200 or
> below. Catch this and provide a better error message than the kernel's
> EOPNOTSUPP.

LGTM

Phil Sutter March 10, 2023, 11:46 a.m. UTC | #2

On Fri, Mar 10, 2023 at 12:23:48PM +0100, Phil Sutter wrote:
> The kernel doesn't accept nat type chains with a priority of -200 or
> below. Catch this and provide a better error message than the kernel's
> EOPNOTSUPP.
> 
> Signed-off-by: Phil Sutter <phil@nwl.cc>

Patch applied.

diff --git a/src/evaluate.c b/src/evaluate.c
index d24f8b66b0de8..21831201519dd 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -4842,6 +4842,8 @@  static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain)
 	}
 
 	if (chain->flags & CHAIN_F_BASECHAIN) {
+		int priority;
+
 		chain->hook.num = str2hooknum(chain->handle.family,
 					      chain->hook.name);
 		if (chain->hook.num == NF_INET_NUMHOOKS)
@@ -4854,6 +4856,13 @@  static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain)
 			return __stmt_binary_error(ctx, &chain->priority.loc, NULL,
 						   "invalid priority expression %s in this context.",
 						   expr_name(chain->priority.expr));
+
+		mpz_export_data(&priority, chain->priority.expr->value,
+				BYTEORDER_HOST_ENDIAN, sizeof(int));
+		if (priority <= -200 && !strcmp(chain->type.str, "nat"))
+			return __stmt_binary_error(ctx, &chain->priority.loc, NULL,
+						   "Chains of type \"nat\" must have a priority value above -200.");
+
 		if (chain->policy) {
 			expr_set_context(&ctx->ectx, &policy_type,
 					 NFT_NAME_MAXLEN * BITS_PER_BYTE);