mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2024-12-13 16:56:53 +07:00
netfilter: x_tables: do compat validation via translate_table
This looks like refactoring, but its also a bug fix. Problem is that the compat path (32bit iptables, 64bit kernel) lacks a few sanity tests that are done in the normal path. For example, we do not check for underflows and the base chain policies. While its possible to also add such checks to the compat path, its more copy&pastry, for instance we cannot reuse check_underflow() helper as e->target_offset differs in the compat case. Other problem is that it makes auditing for validation errors harder; two places need to be checked and kept in sync. At a high level 32 bit compat works like this: 1- initial pass over blob: validate match/entry offsets, bounds checking lookup all matches and targets do bookkeeping wrt. size delta of 32/64bit structures assign match/target.u.kernel pointer (points at kernel implementation, needed to access ->compatsize etc.) 2- allocate memory according to the total bookkeeping size to contain the translated ruleset 3- second pass over original blob: for each entry, copy the 32bit representation to the newly allocated memory. This also does any special match translations (e.g. adjust 32bit to 64bit longs, etc). 4- check if ruleset is free of loops (chase all jumps) 5-first pass over translated blob: call the checkentry function of all matches and targets. The alternative implemented by this patch is to drop steps 3&4 from the compat process, the translation is changed into an intermediate step rather than a full 1:1 translate_table replacement. In the 2nd pass (step #3), change the 64bit ruleset back to a kernel representation, i.e. put() the kernel pointer and restore ->u.user.name . This gets us a 64bit ruleset that is in the format generated by a 64bit iptables userspace -- we can then use translate_table() to get the 'native' sanity checks. This has two drawbacks: 1. we re-validate all the match and target entry structure sizes even though compat translation is supposed to never generate bogus offsets. 2. we put and then re-lookup each match and target. THe upside is that we get all sanity tests and ruleset validations provided by the normal path and can remove some duplicated compat code. iptables-restore time of autogenerated ruleset with 300k chains of form -A CHAIN0001 -m limit --limit 1/s -j CHAIN0002 -A CHAIN0002 -m limit --limit 1/s -j CHAIN0003 shows no noticeable differences in restore times: old: 0m30.796s new: 0m31.521s 64bit: 0m25.674s Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
0188346f21
commit
09d9686047
@ -1234,19 +1234,17 @@ static inline void compat_release_entry(struct compat_arpt_entry *e)
|
||||
module_put(t->u.kernel.target->me);
|
||||
}
|
||||
|
||||
static inline int
|
||||
static int
|
||||
check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
|
||||
struct xt_table_info *newinfo,
|
||||
unsigned int *size,
|
||||
const unsigned char *base,
|
||||
const unsigned char *limit,
|
||||
const unsigned int *hook_entries,
|
||||
const unsigned int *underflows)
|
||||
const unsigned char *limit)
|
||||
{
|
||||
struct xt_entry_target *t;
|
||||
struct xt_target *target;
|
||||
unsigned int entry_offset;
|
||||
int ret, off, h;
|
||||
int ret, off;
|
||||
|
||||
duprintf("check_compat_entry_size_and_hooks %p\n", e);
|
||||
if ((unsigned long)e % __alignof__(struct compat_arpt_entry) != 0 ||
|
||||
@ -1291,17 +1289,6 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
|
||||
if (ret)
|
||||
goto release_target;
|
||||
|
||||
/* Check hooks & underflows */
|
||||
for (h = 0; h < NF_ARP_NUMHOOKS; h++) {
|
||||
if ((unsigned char *)e - base == hook_entries[h])
|
||||
newinfo->hook_entry[h] = hook_entries[h];
|
||||
if ((unsigned char *)e - base == underflows[h])
|
||||
newinfo->underflow[h] = underflows[h];
|
||||
}
|
||||
|
||||
/* Clear counters and comefrom */
|
||||
memset(&e->counters, 0, sizeof(e->counters));
|
||||
e->comefrom = 0;
|
||||
return 0;
|
||||
|
||||
release_target:
|
||||
@ -1351,7 +1338,7 @@ static int translate_compat_table(struct xt_table_info **pinfo,
|
||||
struct xt_table_info *newinfo, *info;
|
||||
void *pos, *entry0, *entry1;
|
||||
struct compat_arpt_entry *iter0;
|
||||
struct arpt_entry *iter1;
|
||||
struct arpt_replace repl;
|
||||
unsigned int size;
|
||||
int ret = 0;
|
||||
|
||||
@ -1360,12 +1347,6 @@ static int translate_compat_table(struct xt_table_info **pinfo,
|
||||
size = compatr->size;
|
||||
info->number = compatr->num_entries;
|
||||
|
||||
/* Init all hooks to impossible value. */
|
||||
for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
|
||||
info->hook_entry[i] = 0xFFFFFFFF;
|
||||
info->underflow[i] = 0xFFFFFFFF;
|
||||
}
|
||||
|
||||
duprintf("translate_compat_table: size %u\n", info->size);
|
||||
j = 0;
|
||||
xt_compat_lock(NFPROTO_ARP);
|
||||
@ -1374,9 +1355,7 @@ static int translate_compat_table(struct xt_table_info **pinfo,
|
||||
xt_entry_foreach(iter0, entry0, compatr->size) {
|
||||
ret = check_compat_entry_size_and_hooks(iter0, info, &size,
|
||||
entry0,
|
||||
entry0 + compatr->size,
|
||||
compatr->hook_entry,
|
||||
compatr->underflow);
|
||||
entry0 + compatr->size);
|
||||
if (ret != 0)
|
||||
goto out_unlock;
|
||||
++j;
|
||||
@ -1389,23 +1368,6 @@ static int translate_compat_table(struct xt_table_info **pinfo,
|
||||
goto out_unlock;
|
||||
}
|
||||
|
||||
/* Check hooks all assigned */
|
||||
for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
|
||||
/* Only hooks which are valid */
|
||||
if (!(compatr->valid_hooks & (1 << i)))
|
||||
continue;
|
||||
if (info->hook_entry[i] == 0xFFFFFFFF) {
|
||||
duprintf("Invalid hook entry %u %u\n",
|
||||
i, info->hook_entry[i]);
|
||||
goto out_unlock;
|
||||
}
|
||||
if (info->underflow[i] == 0xFFFFFFFF) {
|
||||
duprintf("Invalid underflow %u %u\n",
|
||||
i, info->underflow[i]);
|
||||
goto out_unlock;
|
||||
}
|
||||
}
|
||||
|
||||
ret = -ENOMEM;
|
||||
newinfo = xt_alloc_table_info(size);
|
||||
if (!newinfo)
|
||||
@ -1422,55 +1384,26 @@ static int translate_compat_table(struct xt_table_info **pinfo,
|
||||
xt_entry_foreach(iter0, entry0, compatr->size)
|
||||
compat_copy_entry_from_user(iter0, &pos, &size,
|
||||
newinfo, entry1);
|
||||
|
||||
/* all module references in entry0 are now gone */
|
||||
|
||||
xt_compat_flush_offsets(NFPROTO_ARP);
|
||||
xt_compat_unlock(NFPROTO_ARP);
|
||||
|
||||
ret = -ELOOP;
|
||||
if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1))
|
||||
memcpy(&repl, compatr, sizeof(*compatr));
|
||||
|
||||
for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
|
||||
repl.hook_entry[i] = newinfo->hook_entry[i];
|
||||
repl.underflow[i] = newinfo->underflow[i];
|
||||
}
|
||||
|
||||
repl.num_counters = 0;
|
||||
repl.counters = NULL;
|
||||
repl.size = newinfo->size;
|
||||
ret = translate_table(newinfo, entry1, &repl);
|
||||
if (ret)
|
||||
goto free_newinfo;
|
||||
|
||||
i = 0;
|
||||
xt_entry_foreach(iter1, entry1, newinfo->size) {
|
||||
iter1->counters.pcnt = xt_percpu_counter_alloc();
|
||||
if (IS_ERR_VALUE(iter1->counters.pcnt)) {
|
||||
ret = -ENOMEM;
|
||||
break;
|
||||
}
|
||||
|
||||
ret = check_target(iter1, compatr->name);
|
||||
if (ret != 0) {
|
||||
xt_percpu_counter_free(iter1->counters.pcnt);
|
||||
break;
|
||||
}
|
||||
++i;
|
||||
if (strcmp(arpt_get_target(iter1)->u.user.name,
|
||||
XT_ERROR_TARGET) == 0)
|
||||
++newinfo->stacksize;
|
||||
}
|
||||
if (ret) {
|
||||
/*
|
||||
* The first i matches need cleanup_entry (calls ->destroy)
|
||||
* because they had called ->check already. The other j-i
|
||||
* entries need only release.
|
||||
*/
|
||||
int skip = i;
|
||||
j -= i;
|
||||
xt_entry_foreach(iter0, entry0, newinfo->size) {
|
||||
if (skip-- > 0)
|
||||
continue;
|
||||
if (j-- == 0)
|
||||
break;
|
||||
compat_release_entry(iter0);
|
||||
}
|
||||
xt_entry_foreach(iter1, entry1, newinfo->size) {
|
||||
if (i-- == 0)
|
||||
break;
|
||||
cleanup_entry(iter1);
|
||||
}
|
||||
xt_free_table_info(newinfo);
|
||||
return ret;
|
||||
}
|
||||
|
||||
*pinfo = newinfo;
|
||||
*pentry0 = entry1;
|
||||
xt_free_table_info(info);
|
||||
@ -1478,17 +1411,16 @@ static int translate_compat_table(struct xt_table_info **pinfo,
|
||||
|
||||
free_newinfo:
|
||||
xt_free_table_info(newinfo);
|
||||
out:
|
||||
return ret;
|
||||
out_unlock:
|
||||
xt_compat_flush_offsets(NFPROTO_ARP);
|
||||
xt_compat_unlock(NFPROTO_ARP);
|
||||
xt_entry_foreach(iter0, entry0, compatr->size) {
|
||||
if (j-- == 0)
|
||||
break;
|
||||
compat_release_entry(iter0);
|
||||
}
|
||||
return ret;
|
||||
out_unlock:
|
||||
xt_compat_flush_offsets(NFPROTO_ARP);
|
||||
xt_compat_unlock(NFPROTO_ARP);
|
||||
goto out;
|
||||
}
|
||||
|
||||
static int compat_do_replace(struct net *net, void __user *user,
|
||||
|
@ -1483,16 +1483,14 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
|
||||
struct xt_table_info *newinfo,
|
||||
unsigned int *size,
|
||||
const unsigned char *base,
|
||||
const unsigned char *limit,
|
||||
const unsigned int *hook_entries,
|
||||
const unsigned int *underflows)
|
||||
const unsigned char *limit)
|
||||
{
|
||||
struct xt_entry_match *ematch;
|
||||
struct xt_entry_target *t;
|
||||
struct xt_target *target;
|
||||
unsigned int entry_offset;
|
||||
unsigned int j;
|
||||
int ret, off, h;
|
||||
int ret, off;
|
||||
|
||||
duprintf("check_compat_entry_size_and_hooks %p\n", e);
|
||||
if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0 ||
|
||||
@ -1544,17 +1542,6 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
|
||||
if (ret)
|
||||
goto out;
|
||||
|
||||
/* Check hooks & underflows */
|
||||
for (h = 0; h < NF_INET_NUMHOOKS; h++) {
|
||||
if ((unsigned char *)e - base == hook_entries[h])
|
||||
newinfo->hook_entry[h] = hook_entries[h];
|
||||
if ((unsigned char *)e - base == underflows[h])
|
||||
newinfo->underflow[h] = underflows[h];
|
||||
}
|
||||
|
||||
/* Clear counters and comefrom */
|
||||
memset(&e->counters, 0, sizeof(e->counters));
|
||||
e->comefrom = 0;
|
||||
return 0;
|
||||
|
||||
out:
|
||||
@ -1597,6 +1584,7 @@ compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr,
|
||||
xt_compat_target_from_user(t, dstptr, size);
|
||||
|
||||
de->next_offset = e->next_offset - (origsize - *size);
|
||||
|
||||
for (h = 0; h < NF_INET_NUMHOOKS; h++) {
|
||||
if ((unsigned char *)de - base < newinfo->hook_entry[h])
|
||||
newinfo->hook_entry[h] -= origsize - *size;
|
||||
@ -1605,48 +1593,6 @@ compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr,
|
||||
}
|
||||
}
|
||||
|
||||
static int
|
||||
compat_check_entry(struct ipt_entry *e, struct net *net, const char *name)
|
||||
{
|
||||
struct xt_entry_match *ematch;
|
||||
struct xt_mtchk_param mtpar;
|
||||
unsigned int j;
|
||||
int ret = 0;
|
||||
|
||||
e->counters.pcnt = xt_percpu_counter_alloc();
|
||||
if (IS_ERR_VALUE(e->counters.pcnt))
|
||||
return -ENOMEM;
|
||||
|
||||
j = 0;
|
||||
mtpar.net = net;
|
||||
mtpar.table = name;
|
||||
mtpar.entryinfo = &e->ip;
|
||||
mtpar.hook_mask = e->comefrom;
|
||||
mtpar.family = NFPROTO_IPV4;
|
||||
xt_ematch_foreach(ematch, e) {
|
||||
ret = check_match(ematch, &mtpar);
|
||||
if (ret != 0)
|
||||
goto cleanup_matches;
|
||||
++j;
|
||||
}
|
||||
|
||||
ret = check_target(e, net, name);
|
||||
if (ret)
|
||||
goto cleanup_matches;
|
||||
return 0;
|
||||
|
||||
cleanup_matches:
|
||||
xt_ematch_foreach(ematch, e) {
|
||||
if (j-- == 0)
|
||||
break;
|
||||
cleanup_match(ematch, net);
|
||||
}
|
||||
|
||||
xt_percpu_counter_free(e->counters.pcnt);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int
|
||||
translate_compat_table(struct net *net,
|
||||
struct xt_table_info **pinfo,
|
||||
@ -1657,7 +1603,7 @@ translate_compat_table(struct net *net,
|
||||
struct xt_table_info *newinfo, *info;
|
||||
void *pos, *entry0, *entry1;
|
||||
struct compat_ipt_entry *iter0;
|
||||
struct ipt_entry *iter1;
|
||||
struct ipt_replace repl;
|
||||
unsigned int size;
|
||||
int ret;
|
||||
|
||||
@ -1666,12 +1612,6 @@ translate_compat_table(struct net *net,
|
||||
size = compatr->size;
|
||||
info->number = compatr->num_entries;
|
||||
|
||||
/* Init all hooks to impossible value. */
|
||||
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
|
||||
info->hook_entry[i] = 0xFFFFFFFF;
|
||||
info->underflow[i] = 0xFFFFFFFF;
|
||||
}
|
||||
|
||||
duprintf("translate_compat_table: size %u\n", info->size);
|
||||
j = 0;
|
||||
xt_compat_lock(AF_INET);
|
||||
@ -1680,9 +1620,7 @@ translate_compat_table(struct net *net,
|
||||
xt_entry_foreach(iter0, entry0, compatr->size) {
|
||||
ret = check_compat_entry_size_and_hooks(iter0, info, &size,
|
||||
entry0,
|
||||
entry0 + compatr->size,
|
||||
compatr->hook_entry,
|
||||
compatr->underflow);
|
||||
entry0 + compatr->size);
|
||||
if (ret != 0)
|
||||
goto out_unlock;
|
||||
++j;
|
||||
@ -1695,23 +1633,6 @@ translate_compat_table(struct net *net,
|
||||
goto out_unlock;
|
||||
}
|
||||
|
||||
/* Check hooks all assigned */
|
||||
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
|
||||
/* Only hooks which are valid */
|
||||
if (!(compatr->valid_hooks & (1 << i)))
|
||||
continue;
|
||||
if (info->hook_entry[i] == 0xFFFFFFFF) {
|
||||
duprintf("Invalid hook entry %u %u\n",
|
||||
i, info->hook_entry[i]);
|
||||
goto out_unlock;
|
||||
}
|
||||
if (info->underflow[i] == 0xFFFFFFFF) {
|
||||
duprintf("Invalid underflow %u %u\n",
|
||||
i, info->underflow[i]);
|
||||
goto out_unlock;
|
||||
}
|
||||
}
|
||||
|
||||
ret = -ENOMEM;
|
||||
newinfo = xt_alloc_table_info(size);
|
||||
if (!newinfo)
|
||||
@ -1719,8 +1640,8 @@ translate_compat_table(struct net *net,
|
||||
|
||||
newinfo->number = compatr->num_entries;
|
||||
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
|
||||
newinfo->hook_entry[i] = info->hook_entry[i];
|
||||
newinfo->underflow[i] = info->underflow[i];
|
||||
newinfo->hook_entry[i] = compatr->hook_entry[i];
|
||||
newinfo->underflow[i] = compatr->underflow[i];
|
||||
}
|
||||
entry1 = newinfo->entries;
|
||||
pos = entry1;
|
||||
@ -1729,47 +1650,30 @@ translate_compat_table(struct net *net,
|
||||
compat_copy_entry_from_user(iter0, &pos, &size,
|
||||
newinfo, entry1);
|
||||
|
||||
/* all module references in entry0 are now gone.
|
||||
* entry1/newinfo contains a 64bit ruleset that looks exactly as
|
||||
* generated by 64bit userspace.
|
||||
*
|
||||
* Call standard translate_table() to validate all hook_entrys,
|
||||
* underflows, check for loops, etc.
|
||||
*/
|
||||
xt_compat_flush_offsets(AF_INET);
|
||||
xt_compat_unlock(AF_INET);
|
||||
|
||||
ret = -ELOOP;
|
||||
if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1))
|
||||
goto free_newinfo;
|
||||
memcpy(&repl, compatr, sizeof(*compatr));
|
||||
|
||||
i = 0;
|
||||
xt_entry_foreach(iter1, entry1, newinfo->size) {
|
||||
ret = compat_check_entry(iter1, net, compatr->name);
|
||||
if (ret != 0)
|
||||
break;
|
||||
++i;
|
||||
if (strcmp(ipt_get_target(iter1)->u.user.name,
|
||||
XT_ERROR_TARGET) == 0)
|
||||
++newinfo->stacksize;
|
||||
}
|
||||
if (ret) {
|
||||
/*
|
||||
* The first i matches need cleanup_entry (calls ->destroy)
|
||||
* because they had called ->check already. The other j-i
|
||||
* entries need only release.
|
||||
*/
|
||||
int skip = i;
|
||||
j -= i;
|
||||
xt_entry_foreach(iter0, entry0, newinfo->size) {
|
||||
if (skip-- > 0)
|
||||
continue;
|
||||
if (j-- == 0)
|
||||
break;
|
||||
compat_release_entry(iter0);
|
||||
}
|
||||
xt_entry_foreach(iter1, entry1, newinfo->size) {
|
||||
if (i-- == 0)
|
||||
break;
|
||||
cleanup_entry(iter1, net);
|
||||
}
|
||||
xt_free_table_info(newinfo);
|
||||
return ret;
|
||||
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
|
||||
repl.hook_entry[i] = newinfo->hook_entry[i];
|
||||
repl.underflow[i] = newinfo->underflow[i];
|
||||
}
|
||||
|
||||
repl.num_counters = 0;
|
||||
repl.counters = NULL;
|
||||
repl.size = newinfo->size;
|
||||
ret = translate_table(net, newinfo, entry1, &repl);
|
||||
if (ret)
|
||||
goto free_newinfo;
|
||||
|
||||
*pinfo = newinfo;
|
||||
*pentry0 = entry1;
|
||||
xt_free_table_info(info);
|
||||
@ -1777,17 +1681,16 @@ translate_compat_table(struct net *net,
|
||||
|
||||
free_newinfo:
|
||||
xt_free_table_info(newinfo);
|
||||
out:
|
||||
return ret;
|
||||
out_unlock:
|
||||
xt_compat_flush_offsets(AF_INET);
|
||||
xt_compat_unlock(AF_INET);
|
||||
xt_entry_foreach(iter0, entry0, compatr->size) {
|
||||
if (j-- == 0)
|
||||
break;
|
||||
compat_release_entry(iter0);
|
||||
}
|
||||
return ret;
|
||||
out_unlock:
|
||||
xt_compat_flush_offsets(AF_INET);
|
||||
xt_compat_unlock(AF_INET);
|
||||
goto out;
|
||||
}
|
||||
|
||||
static int
|
||||
|
@ -1495,16 +1495,14 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
|
||||
struct xt_table_info *newinfo,
|
||||
unsigned int *size,
|
||||
const unsigned char *base,
|
||||
const unsigned char *limit,
|
||||
const unsigned int *hook_entries,
|
||||
const unsigned int *underflows)
|
||||
const unsigned char *limit)
|
||||
{
|
||||
struct xt_entry_match *ematch;
|
||||
struct xt_entry_target *t;
|
||||
struct xt_target *target;
|
||||
unsigned int entry_offset;
|
||||
unsigned int j;
|
||||
int ret, off, h;
|
||||
int ret, off;
|
||||
|
||||
duprintf("check_compat_entry_size_and_hooks %p\n", e);
|
||||
if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 ||
|
||||
@ -1556,17 +1554,6 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
|
||||
if (ret)
|
||||
goto out;
|
||||
|
||||
/* Check hooks & underflows */
|
||||
for (h = 0; h < NF_INET_NUMHOOKS; h++) {
|
||||
if ((unsigned char *)e - base == hook_entries[h])
|
||||
newinfo->hook_entry[h] = hook_entries[h];
|
||||
if ((unsigned char *)e - base == underflows[h])
|
||||
newinfo->underflow[h] = underflows[h];
|
||||
}
|
||||
|
||||
/* Clear counters and comefrom */
|
||||
memset(&e->counters, 0, sizeof(e->counters));
|
||||
e->comefrom = 0;
|
||||
return 0;
|
||||
|
||||
out:
|
||||
@ -1615,47 +1602,6 @@ compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
|
||||
}
|
||||
}
|
||||
|
||||
static int compat_check_entry(struct ip6t_entry *e, struct net *net,
|
||||
const char *name)
|
||||
{
|
||||
unsigned int j;
|
||||
int ret = 0;
|
||||
struct xt_mtchk_param mtpar;
|
||||
struct xt_entry_match *ematch;
|
||||
|
||||
e->counters.pcnt = xt_percpu_counter_alloc();
|
||||
if (IS_ERR_VALUE(e->counters.pcnt))
|
||||
return -ENOMEM;
|
||||
j = 0;
|
||||
mtpar.net = net;
|
||||
mtpar.table = name;
|
||||
mtpar.entryinfo = &e->ipv6;
|
||||
mtpar.hook_mask = e->comefrom;
|
||||
mtpar.family = NFPROTO_IPV6;
|
||||
xt_ematch_foreach(ematch, e) {
|
||||
ret = check_match(ematch, &mtpar);
|
||||
if (ret != 0)
|
||||
goto cleanup_matches;
|
||||
++j;
|
||||
}
|
||||
|
||||
ret = check_target(e, net, name);
|
||||
if (ret)
|
||||
goto cleanup_matches;
|
||||
return 0;
|
||||
|
||||
cleanup_matches:
|
||||
xt_ematch_foreach(ematch, e) {
|
||||
if (j-- == 0)
|
||||
break;
|
||||
cleanup_match(ematch, net);
|
||||
}
|
||||
|
||||
xt_percpu_counter_free(e->counters.pcnt);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int
|
||||
translate_compat_table(struct net *net,
|
||||
struct xt_table_info **pinfo,
|
||||
@ -1666,7 +1612,7 @@ translate_compat_table(struct net *net,
|
||||
struct xt_table_info *newinfo, *info;
|
||||
void *pos, *entry0, *entry1;
|
||||
struct compat_ip6t_entry *iter0;
|
||||
struct ip6t_entry *iter1;
|
||||
struct ip6t_replace repl;
|
||||
unsigned int size;
|
||||
int ret = 0;
|
||||
|
||||
@ -1675,12 +1621,6 @@ translate_compat_table(struct net *net,
|
||||
size = compatr->size;
|
||||
info->number = compatr->num_entries;
|
||||
|
||||
/* Init all hooks to impossible value. */
|
||||
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
|
||||
info->hook_entry[i] = 0xFFFFFFFF;
|
||||
info->underflow[i] = 0xFFFFFFFF;
|
||||
}
|
||||
|
||||
duprintf("translate_compat_table: size %u\n", info->size);
|
||||
j = 0;
|
||||
xt_compat_lock(AF_INET6);
|
||||
@ -1689,9 +1629,7 @@ translate_compat_table(struct net *net,
|
||||
xt_entry_foreach(iter0, entry0, compatr->size) {
|
||||
ret = check_compat_entry_size_and_hooks(iter0, info, &size,
|
||||
entry0,
|
||||
entry0 + compatr->size,
|
||||
compatr->hook_entry,
|
||||
compatr->underflow);
|
||||
entry0 + compatr->size);
|
||||
if (ret != 0)
|
||||
goto out_unlock;
|
||||
++j;
|
||||
@ -1704,23 +1642,6 @@ translate_compat_table(struct net *net,
|
||||
goto out_unlock;
|
||||
}
|
||||
|
||||
/* Check hooks all assigned */
|
||||
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
|
||||
/* Only hooks which are valid */
|
||||
if (!(compatr->valid_hooks & (1 << i)))
|
||||
continue;
|
||||
if (info->hook_entry[i] == 0xFFFFFFFF) {
|
||||
duprintf("Invalid hook entry %u %u\n",
|
||||
i, info->hook_entry[i]);
|
||||
goto out_unlock;
|
||||
}
|
||||
if (info->underflow[i] == 0xFFFFFFFF) {
|
||||
duprintf("Invalid underflow %u %u\n",
|
||||
i, info->underflow[i]);
|
||||
goto out_unlock;
|
||||
}
|
||||
}
|
||||
|
||||
ret = -ENOMEM;
|
||||
newinfo = xt_alloc_table_info(size);
|
||||
if (!newinfo)
|
||||
@ -1728,56 +1649,34 @@ translate_compat_table(struct net *net,
|
||||
|
||||
newinfo->number = compatr->num_entries;
|
||||
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
|
||||
newinfo->hook_entry[i] = info->hook_entry[i];
|
||||
newinfo->underflow[i] = info->underflow[i];
|
||||
newinfo->hook_entry[i] = compatr->hook_entry[i];
|
||||
newinfo->underflow[i] = compatr->underflow[i];
|
||||
}
|
||||
entry1 = newinfo->entries;
|
||||
pos = entry1;
|
||||
size = compatr->size;
|
||||
xt_entry_foreach(iter0, entry0, compatr->size)
|
||||
compat_copy_entry_from_user(iter0, &pos, &size,
|
||||
newinfo, entry1);
|
||||
|
||||
/* all module references in entry0 are now gone. */
|
||||
xt_compat_flush_offsets(AF_INET6);
|
||||
xt_compat_unlock(AF_INET6);
|
||||
|
||||
ret = -ELOOP;
|
||||
if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1))
|
||||
goto free_newinfo;
|
||||
memcpy(&repl, compatr, sizeof(*compatr));
|
||||
|
||||
i = 0;
|
||||
xt_entry_foreach(iter1, entry1, newinfo->size) {
|
||||
ret = compat_check_entry(iter1, net, compatr->name);
|
||||
if (ret != 0)
|
||||
break;
|
||||
++i;
|
||||
if (strcmp(ip6t_get_target(iter1)->u.user.name,
|
||||
XT_ERROR_TARGET) == 0)
|
||||
++newinfo->stacksize;
|
||||
}
|
||||
if (ret) {
|
||||
/*
|
||||
* The first i matches need cleanup_entry (calls ->destroy)
|
||||
* because they had called ->check already. The other j-i
|
||||
* entries need only release.
|
||||
*/
|
||||
int skip = i;
|
||||
j -= i;
|
||||
xt_entry_foreach(iter0, entry0, newinfo->size) {
|
||||
if (skip-- > 0)
|
||||
continue;
|
||||
if (j-- == 0)
|
||||
break;
|
||||
compat_release_entry(iter0);
|
||||
}
|
||||
xt_entry_foreach(iter1, entry1, newinfo->size) {
|
||||
if (i-- == 0)
|
||||
break;
|
||||
cleanup_entry(iter1, net);
|
||||
}
|
||||
xt_free_table_info(newinfo);
|
||||
return ret;
|
||||
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
|
||||
repl.hook_entry[i] = newinfo->hook_entry[i];
|
||||
repl.underflow[i] = newinfo->underflow[i];
|
||||
}
|
||||
|
||||
repl.num_counters = 0;
|
||||
repl.counters = NULL;
|
||||
repl.size = newinfo->size;
|
||||
ret = translate_table(net, newinfo, entry1, &repl);
|
||||
if (ret)
|
||||
goto free_newinfo;
|
||||
|
||||
*pinfo = newinfo;
|
||||
*pentry0 = entry1;
|
||||
xt_free_table_info(info);
|
||||
@ -1785,17 +1684,16 @@ translate_compat_table(struct net *net,
|
||||
|
||||
free_newinfo:
|
||||
xt_free_table_info(newinfo);
|
||||
out:
|
||||
return ret;
|
||||
out_unlock:
|
||||
xt_compat_flush_offsets(AF_INET6);
|
||||
xt_compat_unlock(AF_INET6);
|
||||
xt_entry_foreach(iter0, entry0, compatr->size) {
|
||||
if (j-- == 0)
|
||||
break;
|
||||
compat_release_entry(iter0);
|
||||
}
|
||||
return ret;
|
||||
out_unlock:
|
||||
xt_compat_flush_offsets(AF_INET6);
|
||||
xt_compat_unlock(AF_INET6);
|
||||
goto out;
|
||||
}
|
||||
|
||||
static int
|
||||
|
@ -533,6 +533,7 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
|
||||
struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m;
|
||||
int pad, off = xt_compat_match_offset(match);
|
||||
u_int16_t msize = cm->u.user.match_size;
|
||||
char name[sizeof(m->u.user.name)];
|
||||
|
||||
m = *dstptr;
|
||||
memcpy(m, cm, sizeof(*cm));
|
||||
@ -546,6 +547,9 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
|
||||
|
||||
msize += off;
|
||||
m->u.user.match_size = msize;
|
||||
strlcpy(name, match->name, sizeof(name));
|
||||
module_put(match->me);
|
||||
strncpy(m->u.user.name, name, sizeof(m->u.user.name));
|
||||
|
||||
*size += off;
|
||||
*dstptr += msize;
|
||||
@ -763,6 +767,7 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
|
||||
struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;
|
||||
int pad, off = xt_compat_target_offset(target);
|
||||
u_int16_t tsize = ct->u.user.target_size;
|
||||
char name[sizeof(t->u.user.name)];
|
||||
|
||||
t = *dstptr;
|
||||
memcpy(t, ct, sizeof(*ct));
|
||||
@ -776,6 +781,9 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
|
||||
|
||||
tsize += off;
|
||||
t->u.user.target_size = tsize;
|
||||
strlcpy(name, target->name, sizeof(name));
|
||||
module_put(target->me);
|
||||
strncpy(t->u.user.name, name, sizeof(t->u.user.name));
|
||||
|
||||
*size += off;
|
||||
*dstptr += tsize;
|
||||
|
Loading…
Reference in New Issue
Block a user