| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 13 Mar 2015 15:22:07 +0100 From: Richard Weinberger <richard@....at> To: Pablo Neira Ayuso <pablo@...filter.org> CC: netdev@...r.kernel.org, linux-wireless@...r.kernel.org, coreteam@...filter.org, netfilter-devel@...r.kernel.org, linux-kernel@...r.kernel.org, sameo@...ux.intel.com, aloisio.almeida@...nbossa.org, lauro.venancio@...nbossa.org, davem@...emloft.net, kadlec@...ckhole.kfki.hu, kaber@...sh.net Subject: Re: [PATCH 4/4] netfilter: Fix format string of nfnetlink_queue proc file Am 13.03.2015 um 14:53 schrieb Pablo Neira Ayuso: > On Fri, Mar 13, 2015 at 02:43:54PM +0100, Richard Weinberger wrote: >> Am 13.03.2015 um 13:15 schrieb Pablo Neira Ayuso: >>> On Fri, Mar 13, 2015 at 12:31:16PM +0100, Richard Weinberger wrote: >>>> The printed values are all of type unsigned integer, therefore use >>>> %u instead of %d. Otherwise an user can face negative values. >>>> >>>> Fixes: >>>> $ cat /proc/net/netfilter/nfnetlink_queue >>>> 0 29508 278 2 65531 0 2004213241 -2129885586 1 >>>> 1 -27747 0 2 65531 0 0 0 1 >>>> 2 -27748 0 2 65531 0 0 0 1 >>> >>> I guess you want to access stats on dropped packets. >> >> Correct. :) >> >>> I prefer if you extend nfnetlink_queue to provide statistics through >>> nfnetlink_queue, so you don't have to manually parse this text-based >>> /proc entry and we can deprecate this interface. That shouldn't have >>> been there in first place. >> >> You mean statistics via netlink attributes? I can add that! > > Add a new NFQNL_CFG_CMD_STATS command to request the statistics. If > NLM_F_DUMP is set, then we'll basically provide the full list of > instances. Otherwise, in case you want to retrieve stats for a > specific netlink socket, you can use the netlink portID as index. > And you'll have to add attributes for this new command, yes. This was my plan. Thanks for the pointer! >> But I think we should also fix the format string of the proc file >> as the fix is easy and non-intrusive. > > Unfortunately we don't know how many people are relying on that > output, I prefer to remain conservative and provide a proper netlink > interface for this. I understand your concerns but an application which is able to parse positive and negative numbers can also parse pure positives. Just made a small test application, glibc's %d in sscanf() can also deal with UINT_MAX. And I don't expect that applications to check whether the returned values from /proc/net/netfilter/nfnetlink_queue are between INT_MIN and INT_MAX. That said, I'd have assumed that an user would report negative values as plain kernel bug. Thanks, //richard -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists