Commit 1b293e30 authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso
Browse files

netfilter: x_tables: move hook entry checks into core 



Allow followup patch to change on location instead of three.

Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 472ebdcd

include/linux/netfilter/x_tables.h

+2 −0
Original line number Original line Diff line number Diff line
@@ -281,6 +281,8 @@ int xt_check_entry_offsets(const void *base, const char *elems, 
			   unsigned int target_offset,

			   unsigned int target_offset,

			   unsigned int next_offset);

			   unsigned int next_offset);





int xt_check_table_hooks(const struct xt_table_info *info, unsigned int valid_hooks);



unsigned int *xt_alloc_entry_offsets(unsigned int size);

unsigned int *xt_alloc_entry_offsets(unsigned int size);

bool xt_find_jump_offset(const unsigned int *offsets,

bool xt_find_jump_offset(const unsigned int *offsets,

			 unsigned int target, unsigned int size);

			 unsigned int target, unsigned int size);

net/ipv4/netfilter/arp_tables.c

+3 −10
Original line number Original line Diff line number Diff line
@@ -555,16 +555,9 @@ static int translate_table(struct xt_table_info *newinfo, void *entry0, 
	if (i != repl->num_entries)

	if (i != repl->num_entries)

		goto out_free;

		goto out_free;





	/* Check hooks all assigned */

	ret = xt_check_table_hooks(newinfo, repl->valid_hooks);

	for (i = 0; i < NF_ARP_NUMHOOKS; i++) {

	if (ret)

		/* Only hooks which are valid */

		if (!(repl->valid_hooks & (1 << i)))

			continue;

		if (newinfo->hook_entry[i] == 0xFFFFFFFF)

			goto out_free;

		if (newinfo->underflow[i] == 0xFFFFFFFF)

		goto out_free;

		goto out_free;

	}





	if (!mark_source_chains(newinfo, repl->valid_hooks, entry0, offsets)) {

	if (!mark_source_chains(newinfo, repl->valid_hooks, entry0, offsets)) {

		ret = -ELOOP;

		ret = -ELOOP;

net/ipv4/netfilter/ip_tables.c

+3 −10
Original line number Original line Diff line number Diff line
@@ -702,16 +702,9 @@ translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0, 
	if (i != repl->num_entries)

	if (i != repl->num_entries)

		goto out_free;

		goto out_free;





	/* Check hooks all assigned */

	ret = xt_check_table_hooks(newinfo, repl->valid_hooks);

	for (i = 0; i < NF_INET_NUMHOOKS; i++) {

	if (ret)

		/* Only hooks which are valid */

		if (!(repl->valid_hooks & (1 << i)))

			continue;

		if (newinfo->hook_entry[i] == 0xFFFFFFFF)

			goto out_free;

		if (newinfo->underflow[i] == 0xFFFFFFFF)

		goto out_free;

		goto out_free;

	}





	if (!mark_source_chains(newinfo, repl->valid_hooks, entry0, offsets)) {

	if (!mark_source_chains(newinfo, repl->valid_hooks, entry0, offsets)) {

		ret = -ELOOP;

		ret = -ELOOP;

net/ipv6/netfilter/ip6_tables.c

+3 −10
Original line number Original line Diff line number Diff line
@@ -720,16 +720,9 @@ translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0, 
	if (i != repl->num_entries)

	if (i != repl->num_entries)

		goto out_free;

		goto out_free;





	/* Check hooks all assigned */

	ret = xt_check_table_hooks(newinfo, repl->valid_hooks);

	for (i = 0; i < NF_INET_NUMHOOKS; i++) {

	if (ret)

		/* Only hooks which are valid */

		if (!(repl->valid_hooks & (1 << i)))

			continue;

		if (newinfo->hook_entry[i] == 0xFFFFFFFF)

			goto out_free;

		if (newinfo->underflow[i] == 0xFFFFFFFF)

		goto out_free;

		goto out_free;

	}





	if (!mark_source_chains(newinfo, repl->valid_hooks, entry0, offsets)) {

	if (!mark_source_chains(newinfo, repl->valid_hooks, entry0, offsets)) {

		ret = -ELOOP;

		ret = -ELOOP;

net/netfilter/x_tables.c

+29 −0
Original line number Original line Diff line number Diff line
@@ -518,6 +518,35 @@ static int xt_check_entry_match(const char *match, const char *target, 
	return 0;

	return 0;

}

}





/** xt_check_table_hooks - check hook entry points are sane

 *

 * @info xt_table_info to check

 * @valid_hooks - hook entry points that we can enter from

 *

 * Validates that the hook entry and underflows points are set up.

 *

 * Return: 0 on success, negative errno on failure.

 */

int xt_check_table_hooks(const struct xt_table_info *info, unsigned int valid_hooks)

{

	unsigned int i;



	BUILD_BUG_ON(ARRAY_SIZE(info->hook_entry) != ARRAY_SIZE(info->underflow));



	for (i = 0; i < ARRAY_SIZE(info->hook_entry); i++) {

		if (!(valid_hooks & (1 << i)))

			continue;



		if (info->hook_entry[i] == 0xFFFFFFFF)

			return -EINVAL;

		if (info->underflow[i] == 0xFFFFFFFF)

			return -EINVAL;

	}



	return 0;

}

EXPORT_SYMBOL(xt_check_table_hooks);



#ifdef CONFIG_COMPAT

#ifdef CONFIG_COMPAT

int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta)

int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta)

{

{