| From e46cb4de25bb05ecf3790be85f72aed0b93aaabf Mon Sep 17 00:00:00 2001 |
| From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> |
| Date: Fri, 1 Nov 2019 17:13:18 +0100 |
| Subject: [PATCH] netfilter: ipset: Fix nla_policies to fully support |
| NL_VALIDATE_STRICT |
| |
| commit 1289975643f4cdecb071dc641059a47679fd170f upstream. |
| |
| Since v5.2 (commit "netlink: re-add parse/validate functions in strict |
| mode") NL_VALIDATE_STRICT is enabled. Fix the ipset nla_policies which did |
| not support strict mode and convert from deprecated parsings to verified ones. |
| |
| Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c |
| index 7c7416e9b5de..e11e18d5b6fb 100644 |
| --- a/net/netfilter/ipset/ip_set_core.c |
| +++ b/net/netfilter/ipset/ip_set_core.c |
| @@ -296,7 +296,8 @@ ip_set_get_ipaddr4(struct nlattr *nla, __be32 *ipaddr) |
| |
| if (unlikely(!flag_nested(nla))) |
| return -IPSET_ERR_PROTOCOL; |
| - if (nla_parse_nested_deprecated(tb, IPSET_ATTR_IPADDR_MAX, nla, ipaddr_policy, NULL)) |
| + if (nla_parse_nested(tb, IPSET_ATTR_IPADDR_MAX, nla, |
| + ipaddr_policy, NULL)) |
| return -IPSET_ERR_PROTOCOL; |
| if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV4))) |
| return -IPSET_ERR_PROTOCOL; |
| @@ -314,7 +315,8 @@ ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr) |
| if (unlikely(!flag_nested(nla))) |
| return -IPSET_ERR_PROTOCOL; |
| |
| - if (nla_parse_nested_deprecated(tb, IPSET_ATTR_IPADDR_MAX, nla, ipaddr_policy, NULL)) |
| + if (nla_parse_nested(tb, IPSET_ATTR_IPADDR_MAX, nla, |
| + ipaddr_policy, NULL)) |
| return -IPSET_ERR_PROTOCOL; |
| if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV6))) |
| return -IPSET_ERR_PROTOCOL; |
| @@ -934,7 +936,8 @@ static int ip_set_create(struct net *net, struct sock *ctnl, |
| |
| /* Without holding any locks, create private part. */ |
| if (attr[IPSET_ATTR_DATA] && |
| - nla_parse_nested_deprecated(tb, IPSET_ATTR_CREATE_MAX, attr[IPSET_ATTR_DATA], set->type->create_policy, NULL)) { |
| + nla_parse_nested(tb, IPSET_ATTR_CREATE_MAX, attr[IPSET_ATTR_DATA], |
| + set->type->create_policy, NULL)) { |
| ret = -IPSET_ERR_PROTOCOL; |
| goto put_out; |
| } |
| @@ -1281,6 +1284,14 @@ dump_attrs(struct nlmsghdr *nlh) |
| } |
| } |
| |
| +static const struct nla_policy |
| +ip_set_dump_policy[IPSET_ATTR_CMD_MAX + 1] = { |
| + [IPSET_ATTR_PROTOCOL] = { .type = NLA_U8 }, |
| + [IPSET_ATTR_SETNAME] = { .type = NLA_NUL_STRING, |
| + .len = IPSET_MAXNAMELEN - 1 }, |
| + [IPSET_ATTR_FLAGS] = { .type = NLA_U32 }, |
| +}; |
| + |
| static int |
| dump_init(struct netlink_callback *cb, struct ip_set_net *inst) |
| { |
| @@ -1292,9 +1303,9 @@ dump_init(struct netlink_callback *cb, struct ip_set_net *inst) |
| ip_set_id_t index; |
| int ret; |
| |
| - ret = nla_parse_deprecated(cda, IPSET_ATTR_CMD_MAX, attr, |
| - nlh->nlmsg_len - min_len, |
| - ip_set_setname_policy, NULL); |
| + ret = nla_parse(cda, IPSET_ATTR_CMD_MAX, attr, |
| + nlh->nlmsg_len - min_len, |
| + ip_set_dump_policy, NULL); |
| if (ret) |
| return ret; |
| |
| @@ -1543,9 +1554,9 @@ call_ad(struct sock *ctnl, struct sk_buff *skb, struct ip_set *set, |
| memcpy(&errmsg->msg, nlh, nlh->nlmsg_len); |
| cmdattr = (void *)&errmsg->msg + min_len; |
| |
| - ret = nla_parse_deprecated(cda, IPSET_ATTR_CMD_MAX, cmdattr, |
| - nlh->nlmsg_len - min_len, |
| - ip_set_adt_policy, NULL); |
| + ret = nla_parse(cda, IPSET_ATTR_CMD_MAX, cmdattr, |
| + nlh->nlmsg_len - min_len, ip_set_adt_policy, |
| + NULL); |
| |
| if (ret) { |
| nlmsg_free(skb2); |
| @@ -1594,7 +1605,9 @@ static int ip_set_uadd(struct net *net, struct sock *ctnl, struct sk_buff *skb, |
| |
| use_lineno = !!attr[IPSET_ATTR_LINENO]; |
| if (attr[IPSET_ATTR_DATA]) { |
| - if (nla_parse_nested_deprecated(tb, IPSET_ATTR_ADT_MAX, attr[IPSET_ATTR_DATA], set->type->adt_policy, NULL)) |
| + if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, |
| + attr[IPSET_ATTR_DATA], |
| + set->type->adt_policy, NULL)) |
| return -IPSET_ERR_PROTOCOL; |
| ret = call_ad(ctnl, skb, set, tb, IPSET_ADD, flags, |
| use_lineno); |
| @@ -1605,7 +1618,8 @@ static int ip_set_uadd(struct net *net, struct sock *ctnl, struct sk_buff *skb, |
| memset(tb, 0, sizeof(tb)); |
| if (nla_type(nla) != IPSET_ATTR_DATA || |
| !flag_nested(nla) || |
| - nla_parse_nested_deprecated(tb, IPSET_ATTR_ADT_MAX, nla, set->type->adt_policy, NULL)) |
| + nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, nla, |
| + set->type->adt_policy, NULL)) |
| return -IPSET_ERR_PROTOCOL; |
| ret = call_ad(ctnl, skb, set, tb, IPSET_ADD, |
| flags, use_lineno); |
| @@ -1688,7 +1702,8 @@ static int ip_set_utest(struct net *net, struct sock *ctnl, struct sk_buff *skb, |
| if (!set) |
| return -ENOENT; |
| |
| - if (nla_parse_nested_deprecated(tb, IPSET_ATTR_ADT_MAX, attr[IPSET_ATTR_DATA], set->type->adt_policy, NULL)) |
| + if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, attr[IPSET_ATTR_DATA], |
| + set->type->adt_policy, NULL)) |
| return -IPSET_ERR_PROTOCOL; |
| |
| rcu_read_lock_bh(); |
| @@ -1994,7 +2009,7 @@ static const struct nfnl_callback ip_set_netlink_subsys_cb[IPSET_MSG_MAX] = { |
| [IPSET_CMD_LIST] = { |
| .call = ip_set_dump, |
| .attr_count = IPSET_ATTR_CMD_MAX, |
| - .policy = ip_set_setname_policy, |
| + .policy = ip_set_dump_policy, |
| }, |
| [IPSET_CMD_SAVE] = { |
| .call = ip_set_dump, |
| diff --git a/net/netfilter/ipset/ip_set_hash_net.c b/net/netfilter/ipset/ip_set_hash_net.c |
| index 06c91e49bf25..471e69928e8e 100644 |
| --- a/net/netfilter/ipset/ip_set_hash_net.c |
| +++ b/net/netfilter/ipset/ip_set_hash_net.c |
| @@ -369,6 +369,7 @@ static struct ip_set_type hash_net_type __read_mostly = { |
| [IPSET_ATTR_IP_TO] = { .type = NLA_NESTED }, |
| [IPSET_ATTR_CIDR] = { .type = NLA_U8 }, |
| [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, |
| + [IPSET_ATTR_LINENO] = { .type = NLA_U32 }, |
| [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 }, |
| [IPSET_ATTR_BYTES] = { .type = NLA_U64 }, |
| [IPSET_ATTR_PACKETS] = { .type = NLA_U64 }, |
| diff --git a/net/netfilter/ipset/ip_set_hash_netnet.c b/net/netfilter/ipset/ip_set_hash_netnet.c |
| index 832e4f5491cb..975ba1892ae4 100644 |
| --- a/net/netfilter/ipset/ip_set_hash_netnet.c |
| +++ b/net/netfilter/ipset/ip_set_hash_netnet.c |
| @@ -476,6 +476,7 @@ static struct ip_set_type hash_netnet_type __read_mostly = { |
| [IPSET_ATTR_CIDR] = { .type = NLA_U8 }, |
| [IPSET_ATTR_CIDR2] = { .type = NLA_U8 }, |
| [IPSET_ATTR_TIMEOUT] = { .type = NLA_U32 }, |
| + [IPSET_ATTR_LINENO] = { .type = NLA_U32 }, |
| [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 }, |
| [IPSET_ATTR_BYTES] = { .type = NLA_U64 }, |
| [IPSET_ATTR_PACKETS] = { .type = NLA_U64 }, |
| -- |
| 2.7.4 |
| |