From patchwork Fri Apr 2 20:11:56 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Maciej_=C5=BBenczykowski?= X-Patchwork-Id: 12181503 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id ECADAC43460 for ; Fri, 2 Apr 2021 20:12:09 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id BD606610C9 for ; Fri, 2 Apr 2021 20:12:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236410AbhDBUMK (ORCPT ); Fri, 2 Apr 2021 16:12:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35780 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229647AbhDBUMJ (ORCPT ); Fri, 2 Apr 2021 16:12:09 -0400 Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E8E5AC0613E6; Fri, 2 Apr 2021 13:12:07 -0700 (PDT) Received: by mail-pj1-x1032.google.com with SMTP id x21-20020a17090a5315b029012c4a622e4aso3027400pjh.2; Fri, 02 Apr 2021 13:12:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=y1RHCSC+V11qd9eqh8bG77F8uwj+77oBzm4p8tM50sA=; b=XeC/pJBkpIbRf6GgSFJGe85Yd4CZILNbPufOyxgb8LXPhhHX2LHH4F+tmcdS9O44DB cWK16sobfxN6t/lkJreCdHtyGnytdM8A/Bl9N0rVKhIiDfWfy6Finmqse10A3qN54nIJ 7dB8uCp86pkRLql8PCm0od4h0ahAg5lDvdwXsrp8GzCUBStsv9cFiOwuY8SrjwZyU/MS JXM/P72IHGzT6liKrlSobLMQ4esS1IExs9hcXUHFBjnVcmVGxVlI7I5jpyZaReJGdCcJ J/ZYbODpegxP2Qqtb/tzJFVv8EF3SbDXinRi8QhCUzQoTjfK3im3sOl8l0xA8BlRRi5H QEpA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=y1RHCSC+V11qd9eqh8bG77F8uwj+77oBzm4p8tM50sA=; b=FKCxvrHHlbuJxA27xjJz7LHzk3JKvRU2hOw8FaqyS5RENjSXzpq8RjpPwtVQIlO+bE VXGAGZy+eT6VhA4O9jEWTxtYVsKD2Br01UbB5kgGgA8Wfx8gV1AKtymJ9LAQQk1Uezux NzrP2LMTZQ5D3py8hg9Eg7ZdzML3Rv0SglSqbL8Viav7S87GDzy6sISv6WRfoqVEdKJj F7X1bfqz/J7XnTgMmCdw+tlHvD0TlvDmzGCtr6dpKYHmYUpLu9CzhDQwiSnGPErm3fO1 0LHwBIIBwEbbzufmOicX4WC57Nvl2gXXq13eA2Kq9bXYCQx/TpfKCvz5+9MjZrTgPyRl XSsw== X-Gm-Message-State: AOAM5322ceQsLAPN68Ba7tq6p8xqqFju6/e8BNzSLiHqtQRuEBRMle5I 4TmIAI6JMqcCgIXeqLXibJc= X-Google-Smtp-Source: ABdhPJyeHnx3PhROsSay6Qhc5/rhXrmHJTSBl2GIY8CnL3ORSt1GC+9SGXsO6+s8MgqhLCZwcuKbCg== X-Received: by 2002:a17:90a:fc5:: with SMTP id 63mr15560949pjz.233.1617394327238; Fri, 02 Apr 2021 13:12:07 -0700 (PDT) Received: from athina.mtv.corp.google.com ([2620:15c:211:0:e15f:835a:6bcd:3410]) by smtp.gmail.com with ESMTPSA id h15sm8864994pfo.20.2021.04.02.13.12.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 02 Apr 2021 13:12:06 -0700 (PDT) From: =?utf-8?q?Maciej_=C5=BBenczykowski?= To: =?utf-8?q?Maciej_=C5=BBenczykowski?= , Pablo Neira Ayuso , Florian Westphal Cc: Linux Network Development Mailing List , Netfilter Development Mailing List , Manoj Basapathi , Subash Abhinov Kasiviswanathan Subject: [PATCH netfilter] netfilter: xt_IDLETIMER: fix idletimer_tg_helper non-kosher casts Date: Fri, 2 Apr 2021 13:11:56 -0700 Message-Id: <20210402201156.2789453-1-zenczykowski@gmail.com> X-Mailer: git-send-email 2.31.0.208.g409f899ff0-goog MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org From: Maciej Żenczykowski The code is relying on the identical layout of the beginning of the v0 and v1 structs, but this can easily lead to code bugs if one were to try to extend this further... I use: char (*plabel)[MAX_IDLETIMER_LABEL_SIZE] instead of: char label[MAX_IDLETIMER_LABEL_SIZE] as the helper's argument to get better type safety (the former checks array size, the latter does not). Cc: Manoj Basapathi Cc: Subash Abhinov Kasiviswanathan Signed-off-by: Maciej Żenczykowski --- net/netfilter/xt_IDLETIMER.c | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c index 7b2f359bfce4..2b5e81f6e0bd 100644 --- a/net/netfilter/xt_IDLETIMER.c +++ b/net/netfilter/xt_IDLETIMER.c @@ -283,18 +283,19 @@ static unsigned int idletimer_tg_target_v1(struct sk_buff *skb, return XT_CONTINUE; } -static int idletimer_tg_helper(struct idletimer_tg_info *info) +static int idletimer_tg_helper(__u32 timeout, + char (*plabel)[MAX_IDLETIMER_LABEL_SIZE]) { - if (info->timeout == 0) { + if (timeout == 0) { pr_debug("timeout value is zero\n"); return -EINVAL; } - if (info->timeout >= INT_MAX / 1000) { + if (timeout >= INT_MAX / 1000) { pr_debug("timeout value is too big\n"); return -EINVAL; } - if (info->label[0] == '\0' || - strnlen(info->label, + if ((*plabel)[0] == '\0' || + strnlen(*plabel, MAX_IDLETIMER_LABEL_SIZE) == MAX_IDLETIMER_LABEL_SIZE) { pr_debug("label is empty or not nul-terminated\n"); return -EINVAL; @@ -310,9 +311,8 @@ static int idletimer_tg_checkentry(const struct xt_tgchk_param *par) pr_debug("checkentry targinfo%s\n", info->label); - ret = idletimer_tg_helper(info); - if(ret < 0) - { + ret = idletimer_tg_helper(info->timeout, &info->label); + if (ret < 0) { pr_debug("checkentry helper return invalid\n"); return -EINVAL; } @@ -349,9 +349,8 @@ static int idletimer_tg_checkentry_v1(const struct xt_tgchk_param *par) if (info->send_nl_msg) return -EOPNOTSUPP; - ret = idletimer_tg_helper((struct idletimer_tg_info *)info); - if(ret < 0) - { + ret = idletimer_tg_helper(info->timeout, &info->label); + if (ret < 0) { pr_debug("checkentry helper return invalid\n"); return -EINVAL; }