lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <5f2655c0-8e66-4aa4-a94a-e6a45be44105@blackwall.org> Date: Thu, 26 Oct 2023 17:34:05 +0300 From: Nikolay Aleksandrov <razor@...ckwall.org> To: Ido Schimmel <idosch@...sch.org> Cc: bpf@...r.kernel.org, jiri@...nulli.us, netdev@...r.kernel.org, martin.lau@...ux.dev, ast@...nel.org, andrii@...nel.org, john.fastabend@...il.com, kuba@...nel.org, andrew@...n.ch, toke@...nel.org, toke@...hat.com, sdf@...gle.com, daniel@...earbox.net Subject: Re: [PATCH bpf-next 2/2] netkit: use netlink policy for mode and policy attributes validation On 10/26/23 17:23, Nikolay Aleksandrov wrote: > On 10/26/23 17:11, Ido Schimmel wrote: >> On Thu, Oct 26, 2023 at 12:41:06PM +0300, Nikolay Aleksandrov wrote: >>> static const struct nla_policy netkit_policy[IFLA_NETKIT_MAX + 1] = { >>> [IFLA_NETKIT_PEER_INFO] = { .len = sizeof(struct >>> ifinfomsg) }, >>> - [IFLA_NETKIT_POLICY] = { .type = NLA_U32 }, >>> - [IFLA_NETKIT_MODE] = { .type = NLA_U32 }, >>> - [IFLA_NETKIT_PEER_POLICY] = { .type = NLA_U32 }, >>> + [IFLA_NETKIT_POLICY] = NLA_POLICY_VALIDATE_FN(NLA_U32, >>> + netkit_check_policy), >> >> Nik, it's problematic to use NLA_POLICY_VALIDATE_FN() with anything >> other than NLA_BINARY. See commit 9e17f99220d1 ("net/sched: act_mpls: >> Fix warning during failed attribute validation"). >> > > But how is that code called at all? The validation type is > NLA_VALIDATE_FUNCTION(), not NLA_VALIDATE_MIN/MAX/RANGE/RANGE_WARN... > nla_validate_int_range() is called only on: > case NLA_VALIDATE_RANGE_PTR: > case NLA_VALIDATE_RANGE: > case NLA_VALIDATE_RANGE_WARN_TOO_LONG: > case NLA_VALIDATE_MIN: > case NLA_VALIDATE_MAX: > Ah, I'm looking at the wrong thing.. I saw the problem. :) > Anyway, I'll switch to NLA_BINARY in a bit to make sure it's ok. Thanks > for the pointer. > >>> + [IFLA_NETKIT_MODE] = NLA_POLICY_VALIDATE_FN(NLA_U32, >>> + netkit_check_mode), >>> + [IFLA_NETKIT_PEER_POLICY] = NLA_POLICY_VALIDATE_FN(NLA_U32, >>> + netkit_check_policy), >>> [IFLA_NETKIT_PRIMARY] = { .type = NLA_REJECT, >>> .reject_message = "Primary attribute is >>> read-only" }, >>> }; >>> -- >>> 2.38.1 >>> >>> >
Powered by blists - more mailing lists