Commit 18219d3f authored by Jan Engelhardt's avatar Jan Engelhardt Committed by Patrick McHardy

netfilter: ebtables: do centralized size checking

Signed-off-by: default avatarJan Engelhardt <jengelh@medozas.de>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent d2f26037
...@@ -215,6 +215,7 @@ struct ebt_match ...@@ -215,6 +215,7 @@ struct ebt_match
int (*check)(const char *tablename, unsigned int hookmask, int (*check)(const char *tablename, unsigned int hookmask,
const struct ebt_entry *e, void *matchdata, unsigned int datalen); const struct ebt_entry *e, void *matchdata, unsigned int datalen);
void (*destroy)(void *matchdata, unsigned int datalen); void (*destroy)(void *matchdata, unsigned int datalen);
unsigned int matchsize;
struct module *me; struct module *me;
}; };
...@@ -229,6 +230,7 @@ struct ebt_watcher ...@@ -229,6 +230,7 @@ struct ebt_watcher
int (*check)(const char *tablename, unsigned int hookmask, int (*check)(const char *tablename, unsigned int hookmask,
const struct ebt_entry *e, void *watcherdata, unsigned int datalen); const struct ebt_entry *e, void *watcherdata, unsigned int datalen);
void (*destroy)(void *watcherdata, unsigned int datalen); void (*destroy)(void *watcherdata, unsigned int datalen);
unsigned int targetsize;
struct module *me; struct module *me;
}; };
...@@ -244,6 +246,7 @@ struct ebt_target ...@@ -244,6 +246,7 @@ struct ebt_target
int (*check)(const char *tablename, unsigned int hookmask, int (*check)(const char *tablename, unsigned int hookmask,
const struct ebt_entry *e, void *targetdata, unsigned int datalen); const struct ebt_entry *e, void *targetdata, unsigned int datalen);
void (*destroy)(void *targetdata, unsigned int datalen); void (*destroy)(void *targetdata, unsigned int datalen);
unsigned int targetsize;
struct module *me; struct module *me;
}; };
......
...@@ -7,10 +7,10 @@ ...@@ -7,10 +7,10 @@
* May 2003 * May 2003
* *
*/ */
#include <linux/module.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_bridge/ebtables.h> #include <linux/netfilter_bridge/ebtables.h>
#include <linux/netfilter_bridge/ebt_802_3.h> #include <linux/netfilter_bridge/ebt_802_3.h>
#include <linux/module.h>
static int ebt_filter_802_3(const struct sk_buff *skb, const struct net_device *in, static int ebt_filter_802_3(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const void *data, unsigned int datalen) const struct net_device *out, const void *data, unsigned int datalen)
...@@ -42,8 +42,6 @@ static int ebt_802_3_check(const char *tablename, unsigned int hookmask, ...@@ -42,8 +42,6 @@ static int ebt_802_3_check(const char *tablename, unsigned int hookmask,
{ {
const struct ebt_802_3_info *info = data; const struct ebt_802_3_info *info = data;
if (datalen < sizeof(struct ebt_802_3_info))
return -EINVAL;
if (info->bitmask & ~EBT_802_3_MASK || info->invflags & ~EBT_802_3_MASK) if (info->bitmask & ~EBT_802_3_MASK || info->invflags & ~EBT_802_3_MASK)
return -EINVAL; return -EINVAL;
...@@ -54,6 +52,7 @@ static struct ebt_match filter_802_3 __read_mostly = { ...@@ -54,6 +52,7 @@ static struct ebt_match filter_802_3 __read_mostly = {
.name = EBT_802_3_MATCH, .name = EBT_802_3_MATCH,
.match = ebt_filter_802_3, .match = ebt_filter_802_3,
.check = ebt_802_3_check, .check = ebt_802_3_check,
.matchsize = XT_ALIGN(sizeof(struct ebt_802_3_info)),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -216,6 +216,7 @@ static struct ebt_match filter_among __read_mostly = { ...@@ -216,6 +216,7 @@ static struct ebt_match filter_among __read_mostly = {
.name = EBT_AMONG_MATCH, .name = EBT_AMONG_MATCH,
.match = ebt_filter_among, .match = ebt_filter_among,
.check = ebt_among_check, .check = ebt_among_check,
.matchsize = -1, /* special case */
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -8,12 +8,12 @@ ...@@ -8,12 +8,12 @@
* April, 2002 * April, 2002
* *
*/ */
#include <linux/netfilter_bridge/ebtables.h>
#include <linux/netfilter_bridge/ebt_arp.h>
#include <linux/if_arp.h> #include <linux/if_arp.h>
#include <linux/if_ether.h> #include <linux/if_ether.h>
#include <linux/module.h> #include <linux/module.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_bridge/ebtables.h>
#include <linux/netfilter_bridge/ebt_arp.h>
static int ebt_filter_arp(const struct sk_buff *skb, const struct net_device *in, static int ebt_filter_arp(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const void *data, unsigned int datalen) const struct net_device *out, const void *data, unsigned int datalen)
...@@ -105,8 +105,6 @@ static int ebt_arp_check(const char *tablename, unsigned int hookmask, ...@@ -105,8 +105,6 @@ static int ebt_arp_check(const char *tablename, unsigned int hookmask,
{ {
const struct ebt_arp_info *info = data; const struct ebt_arp_info *info = data;
if (datalen != EBT_ALIGN(sizeof(struct ebt_arp_info)))
return -EINVAL;
if ((e->ethproto != htons(ETH_P_ARP) && if ((e->ethproto != htons(ETH_P_ARP) &&
e->ethproto != htons(ETH_P_RARP)) || e->ethproto != htons(ETH_P_RARP)) ||
e->invflags & EBT_IPROTO) e->invflags & EBT_IPROTO)
...@@ -120,6 +118,7 @@ static struct ebt_match filter_arp __read_mostly = { ...@@ -120,6 +118,7 @@ static struct ebt_match filter_arp __read_mostly = {
.name = EBT_ARP_MATCH, .name = EBT_ARP_MATCH,
.match = ebt_filter_arp, .match = ebt_filter_arp,
.check = ebt_arp_check, .check = ebt_arp_check,
.matchsize = XT_ALIGN(sizeof(struct ebt_arp_info)),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -8,12 +8,12 @@ ...@@ -8,12 +8,12 @@
* August, 2003 * August, 2003
* *
*/ */
#include <linux/netfilter_bridge/ebtables.h>
#include <linux/netfilter_bridge/ebt_arpreply.h>
#include <linux/if_arp.h> #include <linux/if_arp.h>
#include <net/arp.h> #include <net/arp.h>
#include <linux/module.h> #include <linux/module.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_bridge/ebtables.h>
#include <linux/netfilter_bridge/ebt_arpreply.h>
static int ebt_target_reply(struct sk_buff *skb, unsigned int hooknr, static int ebt_target_reply(struct sk_buff *skb, unsigned int hooknr,
const struct net_device *in, const struct net_device *out, const struct net_device *in, const struct net_device *out,
...@@ -63,8 +63,6 @@ static int ebt_target_reply_check(const char *tablename, unsigned int hookmask, ...@@ -63,8 +63,6 @@ static int ebt_target_reply_check(const char *tablename, unsigned int hookmask,
{ {
const struct ebt_arpreply_info *info = data; const struct ebt_arpreply_info *info = data;
if (datalen != EBT_ALIGN(sizeof(struct ebt_arpreply_info)))
return -EINVAL;
if (BASE_CHAIN && info->target == EBT_RETURN) if (BASE_CHAIN && info->target == EBT_RETURN)
return -EINVAL; return -EINVAL;
if (e->ethproto != htons(ETH_P_ARP) || if (e->ethproto != htons(ETH_P_ARP) ||
...@@ -80,6 +78,7 @@ static struct ebt_target reply_target __read_mostly = { ...@@ -80,6 +78,7 @@ static struct ebt_target reply_target __read_mostly = {
.name = EBT_ARPREPLY_TARGET, .name = EBT_ARPREPLY_TARGET,
.target = ebt_target_reply, .target = ebt_target_reply,
.check = ebt_target_reply_check, .check = ebt_target_reply_check,
.targetsize = XT_ALIGN(sizeof(struct ebt_arpreply_info)),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -7,12 +7,12 @@ ...@@ -7,12 +7,12 @@
* June, 2002 * June, 2002
* *
*/ */
#include <linux/module.h>
#include <net/sock.h>
#include <linux/netfilter.h> #include <linux/netfilter.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_bridge/ebtables.h> #include <linux/netfilter_bridge/ebtables.h>
#include <linux/netfilter_bridge/ebt_nat.h> #include <linux/netfilter_bridge/ebt_nat.h>
#include <linux/module.h>
#include <net/sock.h>
static int ebt_target_dnat(struct sk_buff *skb, unsigned int hooknr, static int ebt_target_dnat(struct sk_buff *skb, unsigned int hooknr,
const struct net_device *in, const struct net_device *out, const struct net_device *in, const struct net_device *out,
...@@ -39,8 +39,6 @@ static int ebt_target_dnat_check(const char *tablename, unsigned int hookmask, ...@@ -39,8 +39,6 @@ static int ebt_target_dnat_check(const char *tablename, unsigned int hookmask,
(hookmask & ~((1 << NF_BR_PRE_ROUTING) | (1 << NF_BR_LOCAL_OUT)))) && (hookmask & ~((1 << NF_BR_PRE_ROUTING) | (1 << NF_BR_LOCAL_OUT)))) &&
(strcmp(tablename, "broute") || hookmask & ~(1 << NF_BR_BROUTING)) ) (strcmp(tablename, "broute") || hookmask & ~(1 << NF_BR_BROUTING)) )
return -EINVAL; return -EINVAL;
if (datalen != EBT_ALIGN(sizeof(struct ebt_nat_info)))
return -EINVAL;
if (INVALID_TARGET) if (INVALID_TARGET)
return -EINVAL; return -EINVAL;
return 0; return 0;
...@@ -50,6 +48,7 @@ static struct ebt_target dnat __read_mostly = { ...@@ -50,6 +48,7 @@ static struct ebt_target dnat __read_mostly = {
.name = EBT_DNAT_TARGET, .name = EBT_DNAT_TARGET,
.target = ebt_target_dnat, .target = ebt_target_dnat,
.check = ebt_target_dnat_check, .check = ebt_target_dnat_check,
.targetsize = XT_ALIGN(sizeof(struct ebt_nat_info)),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -11,13 +11,13 @@ ...@@ -11,13 +11,13 @@
* Innominate Security Technologies AG <mhopf@innominate.com> * Innominate Security Technologies AG <mhopf@innominate.com>
* September, 2002 * September, 2002
*/ */
#include <linux/netfilter_bridge/ebtables.h>
#include <linux/netfilter_bridge/ebt_ip.h>
#include <linux/ip.h> #include <linux/ip.h>
#include <net/ip.h> #include <net/ip.h>
#include <linux/in.h> #include <linux/in.h>
#include <linux/module.h> #include <linux/module.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_bridge/ebtables.h>
#include <linux/netfilter_bridge/ebt_ip.h>
struct tcpudphdr { struct tcpudphdr {
__be16 src; __be16 src;
...@@ -83,8 +83,6 @@ static int ebt_ip_check(const char *tablename, unsigned int hookmask, ...@@ -83,8 +83,6 @@ static int ebt_ip_check(const char *tablename, unsigned int hookmask,
{ {
const struct ebt_ip_info *info = data; const struct ebt_ip_info *info = data;
if (datalen != EBT_ALIGN(sizeof(struct ebt_ip_info)))
return -EINVAL;
if (e->ethproto != htons(ETH_P_IP) || if (e->ethproto != htons(ETH_P_IP) ||
e->invflags & EBT_IPROTO) e->invflags & EBT_IPROTO)
return -EINVAL; return -EINVAL;
...@@ -111,6 +109,7 @@ static struct ebt_match filter_ip __read_mostly = { ...@@ -111,6 +109,7 @@ static struct ebt_match filter_ip __read_mostly = {
.name = EBT_IP_MATCH, .name = EBT_IP_MATCH,
.match = ebt_filter_ip, .match = ebt_filter_ip,
.check = ebt_ip_check, .check = ebt_ip_check,
.matchsize = XT_ALIGN(sizeof(struct ebt_ip_info)),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -13,14 +13,14 @@ ...@@ -13,14 +13,14 @@
* *
* Jan, 2008 * Jan, 2008
*/ */
#include <linux/netfilter_bridge/ebtables.h>
#include <linux/netfilter_bridge/ebt_ip6.h>
#include <linux/ipv6.h> #include <linux/ipv6.h>
#include <net/ipv6.h> #include <net/ipv6.h>
#include <linux/in.h> #include <linux/in.h>
#include <linux/module.h> #include <linux/module.h>
#include <net/dsfield.h> #include <net/dsfield.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_bridge/ebtables.h>
#include <linux/netfilter_bridge/ebt_ip6.h>
struct tcpudphdr { struct tcpudphdr {
__be16 src; __be16 src;
...@@ -97,8 +97,6 @@ static int ebt_ip6_check(const char *tablename, unsigned int hookmask, ...@@ -97,8 +97,6 @@ static int ebt_ip6_check(const char *tablename, unsigned int hookmask,
{ {
struct ebt_ip6_info *info = (struct ebt_ip6_info *)data; struct ebt_ip6_info *info = (struct ebt_ip6_info *)data;
if (datalen != EBT_ALIGN(sizeof(struct ebt_ip6_info)))
return -EINVAL;
if (e->ethproto != htons(ETH_P_IPV6) || e->invflags & EBT_IPROTO) if (e->ethproto != htons(ETH_P_IPV6) || e->invflags & EBT_IPROTO)
return -EINVAL; return -EINVAL;
if (info->bitmask & ~EBT_IP6_MASK || info->invflags & ~EBT_IP6_MASK) if (info->bitmask & ~EBT_IP6_MASK || info->invflags & ~EBT_IP6_MASK)
...@@ -125,6 +123,7 @@ static struct ebt_match filter_ip6 = ...@@ -125,6 +123,7 @@ static struct ebt_match filter_ip6 =
.name = EBT_IP6_MATCH, .name = EBT_IP6_MATCH,
.match = ebt_filter_ip6, .match = ebt_filter_ip6,
.check = ebt_ip6_check, .check = ebt_ip6_check,
.matchsize = XT_ALIGN(sizeof(struct ebt_ip6_info)),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -10,13 +10,12 @@ ...@@ -10,13 +10,12 @@
* September, 2003 * September, 2003
* *
*/ */
#include <linux/netfilter_bridge/ebtables.h>
#include <linux/netfilter_bridge/ebt_limit.h>
#include <linux/module.h> #include <linux/module.h>
#include <linux/netdevice.h> #include <linux/netdevice.h>
#include <linux/spinlock.h> #include <linux/spinlock.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_bridge/ebtables.h>
#include <linux/netfilter_bridge/ebt_limit.h>
static DEFINE_SPINLOCK(limit_lock); static DEFINE_SPINLOCK(limit_lock);
...@@ -71,9 +70,6 @@ static int ebt_limit_check(const char *tablename, unsigned int hookmask, ...@@ -71,9 +70,6 @@ static int ebt_limit_check(const char *tablename, unsigned int hookmask,
{ {
struct ebt_limit_info *info = data; struct ebt_limit_info *info = data;
if (datalen != EBT_ALIGN(sizeof(struct ebt_limit_info)))
return -EINVAL;
/* Check for overflow. */ /* Check for overflow. */
if (info->burst == 0 || if (info->burst == 0 ||
user2credits(info->avg * info->burst) < user2credits(info->avg)) { user2credits(info->avg * info->burst) < user2credits(info->avg)) {
...@@ -94,6 +90,7 @@ static struct ebt_match ebt_limit_reg __read_mostly = { ...@@ -94,6 +90,7 @@ static struct ebt_match ebt_limit_reg __read_mostly = {
.name = EBT_LIMIT_MATCH, .name = EBT_LIMIT_MATCH,
.match = ebt_limit_match, .match = ebt_limit_match,
.check = ebt_limit_check, .check = ebt_limit_check,
.matchsize = XT_ALIGN(sizeof(struct ebt_limit_info)),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -8,10 +8,6 @@ ...@@ -8,10 +8,6 @@
* April, 2002 * April, 2002
* *
*/ */
#include <linux/netfilter_bridge/ebtables.h>
#include <linux/netfilter_bridge/ebt_log.h>
#include <linux/netfilter.h>
#include <linux/module.h> #include <linux/module.h>
#include <linux/ip.h> #include <linux/ip.h>
#include <linux/in.h> #include <linux/in.h>
...@@ -21,6 +17,10 @@ ...@@ -21,6 +17,10 @@
#include <linux/ipv6.h> #include <linux/ipv6.h>
#include <net/ipv6.h> #include <net/ipv6.h>
#include <linux/in6.h> #include <linux/in6.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_bridge/ebtables.h>
#include <linux/netfilter_bridge/ebt_log.h>
#include <linux/netfilter.h>
static DEFINE_SPINLOCK(ebt_log_lock); static DEFINE_SPINLOCK(ebt_log_lock);
...@@ -29,8 +29,6 @@ static int ebt_log_check(const char *tablename, unsigned int hookmask, ...@@ -29,8 +29,6 @@ static int ebt_log_check(const char *tablename, unsigned int hookmask,
{ {
struct ebt_log_info *info = data; struct ebt_log_info *info = data;
if (datalen != EBT_ALIGN(sizeof(struct ebt_log_info)))
return -EINVAL;
if (info->bitmask & ~EBT_LOG_MASK) if (info->bitmask & ~EBT_LOG_MASK)
return -EINVAL; return -EINVAL;
if (info->loglevel >= 8) if (info->loglevel >= 8)
...@@ -218,6 +216,7 @@ static struct ebt_watcher log = ...@@ -218,6 +216,7 @@ static struct ebt_watcher log =
.name = EBT_LOG_WATCHER, .name = EBT_LOG_WATCHER,
.watcher = ebt_log, .watcher = ebt_log,
.check = ebt_log_check, .check = ebt_log_check,
.targetsize = XT_ALIGN(sizeof(struct ebt_log_info)),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -13,9 +13,10 @@ ...@@ -13,9 +13,10 @@
* Marking a frame doesn't really change anything in the frame anyway. * Marking a frame doesn't really change anything in the frame anyway.
*/ */
#include <linux/module.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_bridge/ebtables.h> #include <linux/netfilter_bridge/ebtables.h>
#include <linux/netfilter_bridge/ebt_mark_t.h> #include <linux/netfilter_bridge/ebt_mark_t.h>
#include <linux/module.h>
static int ebt_target_mark(struct sk_buff *skb, unsigned int hooknr, static int ebt_target_mark(struct sk_buff *skb, unsigned int hooknr,
const struct net_device *in, const struct net_device *out, const struct net_device *in, const struct net_device *out,
...@@ -42,8 +43,6 @@ static int ebt_target_mark_check(const char *tablename, unsigned int hookmask, ...@@ -42,8 +43,6 @@ static int ebt_target_mark_check(const char *tablename, unsigned int hookmask,
const struct ebt_mark_t_info *info = data; const struct ebt_mark_t_info *info = data;
int tmp; int tmp;
if (datalen != EBT_ALIGN(sizeof(struct ebt_mark_t_info)))
return -EINVAL;
tmp = info->target | ~EBT_VERDICT_BITS; tmp = info->target | ~EBT_VERDICT_BITS;
if (BASE_CHAIN && tmp == EBT_RETURN) if (BASE_CHAIN && tmp == EBT_RETURN)
return -EINVAL; return -EINVAL;
...@@ -61,6 +60,7 @@ static struct ebt_target mark_target __read_mostly = { ...@@ -61,6 +60,7 @@ static struct ebt_target mark_target __read_mostly = {
.name = EBT_MARK_TARGET, .name = EBT_MARK_TARGET,
.target = ebt_target_mark, .target = ebt_target_mark,
.check = ebt_target_mark_check, .check = ebt_target_mark_check,
.targetsize = XT_ALIGN(sizeof(struct ebt_mark_t_info)),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -7,10 +7,10 @@ ...@@ -7,10 +7,10 @@
* July, 2002 * July, 2002
* *
*/ */
#include <linux/module.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_bridge/ebtables.h> #include <linux/netfilter_bridge/ebtables.h>
#include <linux/netfilter_bridge/ebt_mark_m.h> #include <linux/netfilter_bridge/ebt_mark_m.h>
#include <linux/module.h>
static int ebt_filter_mark(const struct sk_buff *skb, static int ebt_filter_mark(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out, const void *data, const struct net_device *in, const struct net_device *out, const void *data,
...@@ -28,8 +28,6 @@ static int ebt_mark_check(const char *tablename, unsigned int hookmask, ...@@ -28,8 +28,6 @@ static int ebt_mark_check(const char *tablename, unsigned int hookmask,
{ {
const struct ebt_mark_m_info *info = data; const struct ebt_mark_m_info *info = data;
if (datalen != EBT_ALIGN(sizeof(struct ebt_mark_m_info)))
return -EINVAL;
if (info->bitmask & ~EBT_MARK_MASK) if (info->bitmask & ~EBT_MARK_MASK)
return -EINVAL; return -EINVAL;
if ((info->bitmask & EBT_MARK_OR) && (info->bitmask & EBT_MARK_AND)) if ((info->bitmask & EBT_MARK_OR) && (info->bitmask & EBT_MARK_AND))
...@@ -43,6 +41,7 @@ static struct ebt_match filter_mark __read_mostly = { ...@@ -43,6 +41,7 @@ static struct ebt_match filter_mark __read_mostly = {
.name = EBT_MARK_MATCH, .name = EBT_MARK_MATCH,
.match = ebt_filter_mark, .match = ebt_filter_mark,
.check = ebt_mark_check, .check = ebt_mark_check,
.matchsize = XT_ALIGN(sizeof(struct ebt_mark_m_info)),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -14,6 +14,7 @@ ...@@ -14,6 +14,7 @@
#include <linux/module.h> #include <linux/module.h>
#include <linux/spinlock.h> #include <linux/spinlock.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_bridge/ebtables.h> #include <linux/netfilter_bridge/ebtables.h>
#include <linux/netfilter_bridge/ebt_nflog.h> #include <linux/netfilter_bridge/ebt_nflog.h>
#include <net/netfilter/nf_log.h> #include <net/netfilter/nf_log.h>
...@@ -42,8 +43,6 @@ static int ebt_nflog_check(const char *tablename, ...@@ -42,8 +43,6 @@ static int ebt_nflog_check(const char *tablename,
{ {
struct ebt_nflog_info *info = (struct ebt_nflog_info *)data; struct ebt_nflog_info *info = (struct ebt_nflog_info *)data;
if (datalen != EBT_ALIGN(sizeof(struct ebt_nflog_info)))
return -EINVAL;
if (info->flags & ~EBT_NFLOG_MASK) if (info->flags & ~EBT_NFLOG_MASK)
return -EINVAL; return -EINVAL;
info->prefix[EBT_NFLOG_PREFIX_SIZE - 1] = '\0'; info->prefix[EBT_NFLOG_PREFIX_SIZE - 1] = '\0';
...@@ -54,6 +53,7 @@ static struct ebt_watcher nflog __read_mostly = { ...@@ -54,6 +53,7 @@ static struct ebt_watcher nflog __read_mostly = {
.name = EBT_NFLOG_WATCHER, .name = EBT_NFLOG_WATCHER,
.watcher = ebt_nflog, .watcher = ebt_nflog,
.check = ebt_nflog_check, .check = ebt_nflog_check,
.targetsize = XT_ALIGN(sizeof(struct ebt_nflog_info)),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -7,10 +7,10 @@ ...@@ -7,10 +7,10 @@
* April, 2003 * April, 2003
* *
*/ */
#include <linux/module.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_bridge/ebtables.h> #include <linux/netfilter_bridge/ebtables.h>
#include <linux/netfilter_bridge/ebt_pkttype.h> #include <linux/netfilter_bridge/ebt_pkttype.h>
#include <linux/module.h>
static int ebt_filter_pkttype(const struct sk_buff *skb, static int ebt_filter_pkttype(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *in,
...@@ -28,8 +28,6 @@ static int ebt_pkttype_check(const char *tablename, unsigned int hookmask, ...@@ -28,8 +28,6 @@ static int ebt_pkttype_check(const char *tablename, unsigned int hookmask,
{ {
const struct ebt_pkttype_info *info = data; const struct ebt_pkttype_info *info = data;
if (datalen != EBT_ALIGN(sizeof(struct ebt_pkttype_info)))
return -EINVAL;
if (info->invert != 0 && info->invert != 1) if (info->invert != 0 && info->invert != 1)
return -EINVAL; return -EINVAL;
/* Allow any pkt_type value */ /* Allow any pkt_type value */
...@@ -40,6 +38,7 @@ static struct ebt_match filter_pkttype __read_mostly = { ...@@ -40,6 +38,7 @@ static struct ebt_match filter_pkttype __read_mostly = {
.name = EBT_PKTTYPE_MATCH, .name = EBT_PKTTYPE_MATCH,
.match = ebt_filter_pkttype, .match = ebt_filter_pkttype,
.check = ebt_pkttype_check, .check = ebt_pkttype_check,
.matchsize = XT_ALIGN(sizeof(struct ebt_pkttype_info)),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -7,13 +7,13 @@ ...@@ -7,13 +7,13 @@
* April, 2002 * April, 2002
* *
*/ */
#include <linux/netfilter.h>
#include <linux/netfilter_bridge/ebtables.h>
#include <linux/netfilter_bridge/ebt_redirect.h>
#include <linux/module.h> #include <linux/module.h>
#include <net/sock.h> #include <net/sock.h>
#include "../br_private.h" #include "../br_private.h"
#include <linux/netfilter.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_bridge/ebtables.h>
#include <linux/netfilter_bridge/ebt_redirect.h>
static int ebt_target_redirect(struct sk_buff *skb, unsigned int hooknr, static int ebt_target_redirect(struct sk_buff *skb, unsigned int hooknr,
const struct net_device *in, const struct net_device *out, const struct net_device *in, const struct net_device *out,
...@@ -38,8 +38,6 @@ static int ebt_target_redirect_check(const char *tablename, unsigned int hookmas ...@@ -38,8 +38,6 @@ static int ebt_target_redirect_check(const char *tablename, unsigned int hookmas
{ {
const struct ebt_redirect_info *info = data; const struct ebt_redirect_info *info = data;
if (datalen != EBT_ALIGN(sizeof(struct ebt_redirect_info)))
return -EINVAL;
if (BASE_CHAIN && info->target == EBT_RETURN) if (BASE_CHAIN && info->target == EBT_RETURN)
return -EINVAL; return -EINVAL;
CLEAR_BASE_CHAIN_BIT; CLEAR_BASE_CHAIN_BIT;
...@@ -55,6 +53,7 @@ static struct ebt_target redirect_target __read_mostly = { ...@@ -55,6 +53,7 @@ static struct ebt_target redirect_target __read_mostly = {
.name = EBT_REDIRECT_TARGET, .name = EBT_REDIRECT_TARGET,
.target = ebt_target_redirect, .target = ebt_target_redirect,
.check = ebt_target_redirect_check, .check = ebt_target_redirect_check,
.targetsize = XT_ALIGN(sizeof(struct ebt_redirect_info)),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -7,14 +7,14 @@ ...@@ -7,14 +7,14 @@
* June, 2002 * June, 2002
* *
*/ */
#include <linux/netfilter.h>
#include <linux/netfilter_bridge/ebtables.h>
#include <linux/netfilter_bridge/ebt_nat.h>
#include <linux/module.h> #include <linux/module.h>
#include <net/sock.h> #include <net/sock.h>
#include <linux/if_arp.h> #include <linux/if_arp.h>
#include <net/arp.h> #include <net/arp.h>
#include <linux/netfilter.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_bridge/ebtables.h>
#include <linux/netfilter_bridge/ebt_nat.h>
static int ebt_target_snat(struct sk_buff *skb, unsigned int hooknr, static int ebt_target_snat(struct sk_buff *skb, unsigned int hooknr,
const struct net_device *in, const struct net_device *out, const struct net_device *in, const struct net_device *out,
...@@ -49,8 +49,6 @@ static int ebt_target_snat_check(const char *tablename, unsigned int hookmask, ...@@ -49,8 +49,6 @@ static int ebt_target_snat_check(const char *tablename, unsigned int hookmask,
const struct ebt_nat_info *info = data; const struct ebt_nat_info *info = data;
int tmp; int tmp;
if (datalen != EBT_ALIGN(sizeof(struct ebt_nat_info)))
return -EINVAL;
tmp = info->target | ~EBT_VERDICT_BITS; tmp = info->target | ~EBT_VERDICT_BITS;
if (BASE_CHAIN && tmp == EBT_RETURN) if (BASE_CHAIN && tmp == EBT_RETURN)
return -EINVAL; return -EINVAL;
...@@ -72,6 +70,7 @@ static struct ebt_target snat __read_mostly = { ...@@ -72,6 +70,7 @@ static struct ebt_target snat __read_mostly = {
.name = EBT_SNAT_TARGET, .name = EBT_SNAT_TARGET,
.target = ebt_target_snat, .target = ebt_target_snat,
.check = ebt_target_snat_check, .check = ebt_target_snat_check,
.targetsize = XT_ALIGN(sizeof(struct ebt_nat_info)),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -7,11 +7,11 @@ ...@@ -7,11 +7,11 @@
* *
* July, 2003 * July, 2003
*/ */
#include <linux/netfilter_bridge/ebtables.h>
#include <linux/netfilter_bridge/ebt_stp.h>
#include <linux/etherdevice.h> #include <linux/etherdevice.h>
#include <linux/module.h> #include <linux/module.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_bridge/ebtables.h>
#include <linux/netfilter_bridge/ebt_stp.h>
#define BPDU_TYPE_CONFIG 0 #define BPDU_TYPE_CONFIG 0
#define BPDU_TYPE_TCN 0x80 #define BPDU_TYPE_TCN 0x80
...@@ -157,15 +157,12 @@ static int ebt_stp_check(const char *tablename, unsigned int hookmask, ...@@ -157,15 +157,12 @@ static int ebt_stp_check(const char *tablename, unsigned int hookmask,
const struct ebt_entry *e, void *data, unsigned int datalen) const struct ebt_entry *e, void *data, unsigned int datalen)
{ {
const struct ebt_stp_info *info = data; const struct ebt_stp_info *info = data;
const unsigned int len = EBT_ALIGN(sizeof(struct ebt_stp_info));
const uint8_t bridge_ula[6] = {0x01, 0x80, 0xc2, 0x00, 0x00, 0x00}; const uint8_t bridge_ula[6] = {0x01, 0x80, 0xc2, 0x00, 0x00, 0x00};
const uint8_t msk[6] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; const uint8_t msk[6] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
if (info->bitmask & ~EBT_STP_MASK || info->invflags & ~EBT_STP_MASK || if (info->bitmask & ~EBT_STP_MASK || info->invflags & ~EBT_STP_MASK ||
!(info->bitmask & EBT_STP_MASK)) !(info->bitmask & EBT_STP_MASK))
return -EINVAL; return -EINVAL;
if (datalen != len)
return -EINVAL;
/* Make sure the match only receives stp frames */ /* Make sure the match only receives stp frames */
if (compare_ether_addr(e->destmac, bridge_ula) || if (compare_ether_addr(e->destmac, bridge_ula) ||
compare_ether_addr(e->destmsk, msk) || !(e->bitmask & EBT_DESTMAC)) compare_ether_addr(e->destmsk, msk) || !(e->bitmask & EBT_DESTMAC))
...@@ -178,6 +175,7 @@ static struct ebt_match filter_stp __read_mostly = { ...@@ -178,6 +175,7 @@ static struct ebt_match filter_stp __read_mostly = {
.name = EBT_STP_MATCH, .name = EBT_STP_MATCH,
.match = ebt_filter_stp, .match = ebt_filter_stp,
.check = ebt_stp_check, .check = ebt_stp_check,
.matchsize = XT_ALIGN(sizeof(struct ebt_stp_info)),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -36,6 +36,7 @@ ...@@ -36,6 +36,7 @@
#include <linux/timer.h> #include <linux/timer.h>
#include <linux/netlink.h> #include <linux/netlink.h>
#include <linux/netdevice.h> #include <linux/netdevice.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_bridge/ebtables.h> #include <linux/netfilter_bridge/ebtables.h>
#include <linux/netfilter_bridge/ebt_ulog.h> #include <linux/netfilter_bridge/ebt_ulog.h>
#include <net/netfilter/nf_log.h> #include <net/netfilter/nf_log.h>
...@@ -260,8 +261,7 @@ static int ebt_ulog_check(const char *tablename, unsigned int hookmask, ...@@ -260,8 +261,7 @@ static int ebt_ulog_check(const char *tablename, unsigned int hookmask,
{ {
struct ebt_ulog_info *uloginfo = data; struct ebt_ulog_info *uloginfo = data;
if (datalen != EBT_ALIGN(sizeof(struct ebt_ulog_info)) || if (uloginfo->nlgroup > 31)
uloginfo->nlgroup > 31)
return -EINVAL; return -EINVAL;
uloginfo->prefix[EBT_ULOG_PREFIX_LEN - 1] = '\0'; uloginfo->prefix[EBT_ULOG_PREFIX_LEN - 1] = '\0';
...@@ -276,6 +276,7 @@ static struct ebt_watcher ulog __read_mostly = { ...@@ -276,6 +276,7 @@ static struct ebt_watcher ulog __read_mostly = {
.name = EBT_ULOG_WATCHER, .name = EBT_ULOG_WATCHER,
.watcher = ebt_ulog, .watcher = ebt_ulog,
.check = ebt_ulog_check, .check = ebt_ulog_check,
.targetsize = XT_ALIGN(sizeof(struct ebt_ulog_info)),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -22,6 +22,7 @@ ...@@ -22,6 +22,7 @@
#include <linux/if_vlan.h> #include <linux/if_vlan.h>
#include <linux/module.h> #include <linux/module.h>
#include <linux/moduleparam.h> #include <linux/moduleparam.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_bridge/ebtables.h> #include <linux/netfilter_bridge/ebtables.h>
#include <linux/netfilter_bridge/ebt_vlan.h> #include <linux/netfilter_bridge/ebt_vlan.h>
...@@ -93,14 +94,6 @@ ebt_check_vlan(const char *tablename, ...@@ -93,14 +94,6 @@ ebt_check_vlan(const char *tablename,
{ {
struct ebt_vlan_info *info = data; struct ebt_vlan_info *info = data;
/* Parameters buffer overflow check */
if (datalen != EBT_ALIGN(sizeof(struct ebt_vlan_info))) {
DEBUG_MSG
("passed size %d is not eq to ebt_vlan_info (%Zd)\n",
datalen, sizeof(struct ebt_vlan_info));
return -EINVAL;
}
/* Is it 802.1Q frame checked? */ /* Is it 802.1Q frame checked? */
if (e->ethproto != htons(ETH_P_8021Q)) { if (e->ethproto != htons(ETH_P_8021Q)) {
DEBUG_MSG DEBUG_MSG
...@@ -173,6 +166,7 @@ static struct ebt_match filter_vlan __read_mostly = { ...@@ -173,6 +166,7 @@ static struct ebt_match filter_vlan __read_mostly = {
.name = EBT_VLAN_MATCH, .name = EBT_VLAN_MATCH,
.match = ebt_filter_vlan, .match = ebt_filter_vlan,
.check = ebt_check_vlan, .check = ebt_check_vlan,
.matchsize = XT_ALIGN(sizeof(struct ebt_vlan_info)),
.me = THIS_MODULE, .me = THIS_MODULE,
}; };
......
...@@ -19,6 +19,7 @@ ...@@ -19,6 +19,7 @@
#include <linux/kmod.h> #include <linux/kmod.h>
#include <linux/module.h> #include <linux/module.h>
#include <linux/vmalloc.h> #include <linux/vmalloc.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_bridge/ebtables.h> #include <linux/netfilter_bridge/ebtables.h>
#include <linux/spinlock.h> #include <linux/spinlock.h>
#include <linux/mutex.h> #include <linux/mutex.h>
...@@ -59,8 +60,9 @@ static LIST_HEAD(ebt_targets); ...@@ -59,8 +60,9 @@ static LIST_HEAD(ebt_targets);
static LIST_HEAD(ebt_matches); static LIST_HEAD(ebt_matches);
static LIST_HEAD(ebt_watchers); static LIST_HEAD(ebt_watchers);
static struct ebt_target ebt_standard_target = static struct ebt_target ebt_standard_target = {
{ {NULL, NULL}, EBT_STANDARD_TARGET, NULL, NULL, NULL, NULL}; .name = "standard",
};
static inline int ebt_do_watcher (struct ebt_entry_watcher *w, static inline int ebt_do_watcher (struct ebt_entry_watcher *w,
const struct sk_buff *skb, unsigned int hooknr, const struct net_device *in, const struct sk_buff *skb, unsigned int hooknr, const struct net_device *in,
...@@ -350,6 +352,18 @@ ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e, ...@@ -350,6 +352,18 @@ ebt_check_match(struct ebt_entry_match *m, struct ebt_entry *e,
return -ENOENT; return -ENOENT;
} }
mutex_unlock(&ebt_mutex); mutex_unlock(&ebt_mutex);
if (XT_ALIGN(match->matchsize) != m->match_size &&
match->matchsize != -1) {
/*
* ebt_among is exempt from centralized matchsize checking
* because it uses a dynamic-size data set.
*/
printk(KERN_WARNING "ebtables: %s match: "
"invalid size %Zu != %u\n",
match->name, XT_ALIGN(match->matchsize), m->match_size);
module_put(match->me);
return -EINVAL;
}
if (match->check && if (match->check &&
match->check(name, hookmask, e, m->data, m->match_size) != 0) { match->check(name, hookmask, e, m->data, m->match_size) != 0) {
BUGPRINT("match->check failed\n"); BUGPRINT("match->check failed\n");
...@@ -380,6 +394,14 @@ ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e, ...@@ -380,6 +394,14 @@ ebt_check_watcher(struct ebt_entry_watcher *w, struct ebt_entry *e,
return -ENOENT; return -ENOENT;
} }
mutex_unlock(&ebt_mutex); mutex_unlock(&ebt_mutex);
if (XT_ALIGN(watcher->targetsize) != w->watcher_size) {
printk(KERN_WARNING "ebtables: %s watcher: "
"invalid size %Zu != %u\n",
watcher->name, XT_ALIGN(watcher->targetsize),
w->watcher_size);
module_put(watcher->me);
return -EINVAL;
}
if (watcher->check && if (watcher->check &&
watcher->check(name, hookmask, e, w->data, w->watcher_size) != 0) { watcher->check(name, hookmask, e, w->data, w->watcher_size) != 0) {
BUGPRINT("watcher->check failed\n"); BUGPRINT("watcher->check failed\n");
...@@ -681,9 +703,20 @@ ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo, ...@@ -681,9 +703,20 @@ ebt_check_entry(struct ebt_entry *e, struct ebt_table_info *newinfo,
ret = -EFAULT; ret = -EFAULT;
goto cleanup_watchers; goto cleanup_watchers;
} }
} else if (t->target_size > gap - sizeof(struct ebt_entry_target) || } else if (t->target_size > gap - sizeof(struct ebt_entry_target)) {
(t->u.target->check && module_put(t->u.target->me);
t->u.target->check(name, hookmask, e, t->data, t->target_size) != 0)){ ret = -EFAULT;
goto cleanup_watchers;
} else if (XT_ALIGN(target->targetsize) != t->target_size) {
printk(KERN_WARNING "ebtables: %s target: "
"invalid size %Zu != %u\n",
target->name, XT_ALIGN(target->targetsize),
t->target_size);
module_put(t->u.target->me);
ret = -EINVAL;
goto cleanup_watchers;
} else if (t->u.target->check &&
t->u.target->check(name, hookmask, e, t->data, t->target_size) != 0) {
module_put(t->u.target->me); module_put(t->u.target->me);
ret = -EFAULT; ret = -EFAULT;
goto cleanup_watchers; goto cleanup_watchers;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment