Commit 92f73221 authored by Gao Feng's avatar Gao Feng Committed by Pablo Neira Ayuso

netfilter: expect: Make sure the max_expected limit is effective

Because the type of expecting, the member of nf_conn_help, is u8, it
would overflow after reach U8_MAX(255). So it doesn't work when we
configure the max_expected exceeds 255 with expect policy.

Now add the check for max_expected. Return the -EINVAL when it exceeds
the limit.
Signed-off-by: default avatarGao Feng <fgao@ikuai8.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent f323d954
...@@ -73,6 +73,7 @@ struct nf_conntrack_expect_policy { ...@@ -73,6 +73,7 @@ struct nf_conntrack_expect_policy {
}; };
#define NF_CT_EXPECT_CLASS_DEFAULT 0 #define NF_CT_EXPECT_CLASS_DEFAULT 0
#define NF_CT_EXPECT_MAX_CNT 255
int nf_conntrack_expect_pernet_init(struct net *net); int nf_conntrack_expect_pernet_init(struct net *net);
void nf_conntrack_expect_pernet_fini(struct net *net); void nf_conntrack_expect_pernet_fini(struct net *net);
......
...@@ -385,6 +385,9 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me) ...@@ -385,6 +385,9 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
BUG_ON(me->expect_class_max >= NF_CT_MAX_EXPECT_CLASSES); BUG_ON(me->expect_class_max >= NF_CT_MAX_EXPECT_CLASSES);
BUG_ON(strlen(me->name) > NF_CT_HELPER_NAME_LEN - 1); BUG_ON(strlen(me->name) > NF_CT_HELPER_NAME_LEN - 1);
if (me->expect_policy->max_expected > NF_CT_EXPECT_MAX_CNT)
return -EINVAL;
mutex_lock(&nf_ct_helper_mutex); mutex_lock(&nf_ct_helper_mutex);
hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) { hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) {
if (nf_ct_tuple_src_mask_cmp(&cur->tuple, &me->tuple, &mask)) { if (nf_ct_tuple_src_mask_cmp(&cur->tuple, &me->tuple, &mask)) {
......
...@@ -243,6 +243,12 @@ static int __init nf_conntrack_irc_init(void) ...@@ -243,6 +243,12 @@ static int __init nf_conntrack_irc_init(void)
return -EINVAL; return -EINVAL;
} }
if (max_dcc_channels > NF_CT_EXPECT_MAX_CNT) {
pr_err("max_dcc_channels must not be more than %u\n",
NF_CT_EXPECT_MAX_CNT);
return -EINVAL;
}
irc_exp_policy.max_expected = max_dcc_channels; irc_exp_policy.max_expected = max_dcc_channels;
irc_exp_policy.timeout = dcc_timeout; irc_exp_policy.timeout = dcc_timeout;
......
...@@ -150,6 +150,9 @@ nfnl_cthelper_expect_policy(struct nf_conntrack_expect_policy *expect_policy, ...@@ -150,6 +150,9 @@ nfnl_cthelper_expect_policy(struct nf_conntrack_expect_policy *expect_policy,
nla_data(tb[NFCTH_POLICY_NAME]), NF_CT_HELPER_NAME_LEN); nla_data(tb[NFCTH_POLICY_NAME]), NF_CT_HELPER_NAME_LEN);
expect_policy->max_expected = expect_policy->max_expected =
ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_MAX])); ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_MAX]));
if (expect_policy->max_expected > NF_CT_EXPECT_MAX_CNT)
return -EINVAL;
expect_policy->timeout = expect_policy->timeout =
ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_TIMEOUT])); ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_TIMEOUT]));
...@@ -290,6 +293,9 @@ nfnl_cthelper_update_policy_one(const struct nf_conntrack_expect_policy *policy, ...@@ -290,6 +293,9 @@ nfnl_cthelper_update_policy_one(const struct nf_conntrack_expect_policy *policy,
new_policy->max_expected = new_policy->max_expected =
ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_MAX])); ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_MAX]));
if (new_policy->max_expected > NF_CT_EXPECT_MAX_CNT)
return -EINVAL;
new_policy->timeout = new_policy->timeout =
ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_TIMEOUT])); ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_TIMEOUT]));
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment