Commit 6176b8c4 authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge tag 'nf-next-23-08-22' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next 

Florian Westphal says:

====================
netfilter updates for net-next

First patch resolves a fortify warning by wrapping the to-be-copied
members via struct_group.

Second patch replaces array[0] with array[] in ebtables uapi.
Both changes from GONG Ruiqi.

The largest chunk is replacement of strncpy with strscpy_pad()
in netfilter, from Justin Stitt.

Last patch, from myself, aborts ruleset validation if a fatal
signal is pending, this speeds up process exit.

* tag 'nf-next-23-08-22' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next:
  netfilter: nf_tables: allow loop termination for pending fatal signal
  netfilter: xtables: refactor deprecated strncpy
  netfilter: x_tables: refactor deprecated strncpy
  netfilter: nft_meta: refactor deprecated strncpy
  netfilter: nft_osf: refactor deprecated strncpy
  netfilter: nf_tables: refactor deprecated strncpy
  netfilter: nf_tables: refactor deprecated strncpy
  netfilter: ipset: refactor deprecated strncpy
  netfilter: ebtables: replace zero-length array members
  netfilter: ebtables: fix fortify warnings in size_entry_mwt()
====================

Link: https://lore.kernel.org/r/20230822154336.12888-1-fw@strlen.de


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents 978f4175 169384fb

include/uapi/linux/netfilter_bridge/ebtables.h

+12 −10
Original line number Diff line number Diff line
@@ -87,7 +87,7 @@ struct ebt_entries { 
	/* nr. of entries */

	unsigned int nentries;

	/* entry list */

	char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));

	char data[] __attribute__ ((aligned (__alignof__(struct ebt_replace))));

};



/* used for the bitmask of struct ebt_entry */
@@ -129,7 +129,7 @@ struct ebt_entry_match { 
	} u;

	/* size of data */

	unsigned int match_size;

	unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));

	unsigned char data[] __attribute__ ((aligned (__alignof__(struct ebt_replace))));

};



struct ebt_entry_watcher {
@@ -142,7 +142,7 @@ struct ebt_entry_watcher { 
	} u;

	/* size of data */

	unsigned int watcher_size;

	unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));

	unsigned char data[] __attribute__ ((aligned (__alignof__(struct ebt_replace))));

};



struct ebt_entry_target {
@@ -182,13 +182,15 @@ struct ebt_entry { 
	unsigned char sourcemsk[ETH_ALEN];

	unsigned char destmac[ETH_ALEN];

	unsigned char destmsk[ETH_ALEN];

	__struct_group(/* no tag */, offsets, /* no attrs */,

		/* sizeof ebt_entry + matches */

		unsigned int watchers_offset;

		/* sizeof ebt_entry + matches + watchers */

		unsigned int target_offset;

		/* sizeof ebt_entry + matches + watchers + target */

		unsigned int next_offset;

	unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));

	);

	unsigned char elems[] __attribute__ ((aligned (__alignof__(struct ebt_replace))));

};



static __inline__ struct ebt_entry_target *

net/bridge/netfilter/ebtables.c

+1 −2
Original line number Diff line number Diff line
@@ -2115,8 +2115,7 @@ static int size_entry_mwt(const struct ebt_entry *entry, const unsigned char *ba 
		return ret;



	offsets[0] = sizeof(struct ebt_entry); /* matches come first */

	memcpy(&offsets[1], &entry->watchers_offset,

			sizeof(offsets) - sizeof(offsets[0]));

	memcpy(&offsets[1], &entry->offsets, sizeof(entry->offsets));



	if (state->buf_kern_start) {

		buf_start = state->buf_kern_start + state->buf_kern_offset;

net/netfilter/ipset/ip_set_core.c

+5 −5
Original line number Diff line number Diff line
@@ -872,7 +872,7 @@ ip_set_name_byindex(struct net *net, ip_set_id_t index, char *name) 
	BUG_ON(!set);



	read_lock_bh(&ip_set_ref_lock);

	strncpy(name, set->name, IPSET_MAXNAMELEN);

	strscpy_pad(name, set->name, IPSET_MAXNAMELEN);

	read_unlock_bh(&ip_set_ref_lock);

}

EXPORT_SYMBOL_GPL(ip_set_name_byindex);
@@ -1326,7 +1326,7 @@ static int ip_set_rename(struct sk_buff *skb, const struct nfnl_info *info, 
			goto out;

		}

	}

	strncpy(set->name, name2, IPSET_MAXNAMELEN);

	strscpy_pad(set->name, name2, IPSET_MAXNAMELEN);



out:

	write_unlock_bh(&ip_set_ref_lock);
@@ -1380,9 +1380,9 @@ static int ip_set_swap(struct sk_buff *skb, const struct nfnl_info *info, 
		return -EBUSY;

	}



	strncpy(from_name, from->name, IPSET_MAXNAMELEN);

	strncpy(from->name, to->name, IPSET_MAXNAMELEN);

	strncpy(to->name, from_name, IPSET_MAXNAMELEN);

	strscpy_pad(from_name, from->name, IPSET_MAXNAMELEN);

	strscpy_pad(from->name, to->name, IPSET_MAXNAMELEN);

	strscpy_pad(to->name, from_name, IPSET_MAXNAMELEN);



	swap(from->ref, to->ref);

	ip_set(inst, from_id) = to;

net/netfilter/nf_tables_api.c

+6 −0
Original line number Diff line number Diff line
@@ -3675,6 +3675,9 @@ int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain) 
		return -EMLINK;



	list_for_each_entry(rule, &chain->rules, list) {

		if (fatal_signal_pending(current))

			return -EINTR;



		if (!nft_is_active_next(ctx->net, rule))

			continue;
@@ -10479,6 +10482,9 @@ static int nf_tables_check_loops(const struct nft_ctx *ctx, 
	if (ctx->chain == chain)

		return -ELOOP;



	if (fatal_signal_pending(current))

		return -EINTR;



	list_for_each_entry(rule, &chain->rules, list) {

		nft_rule_for_each_expr(expr, last, rule) {

			struct nft_immediate_expr *priv;

net/netfilter/nft_ct.c

+1 −1
Original line number Diff line number Diff line
@@ -108,7 +108,7 @@ static void nft_ct_get_eval(const struct nft_expr *expr, 
		helper = rcu_dereference(help->helper);

		if (helper == NULL)

			goto err;

		strncpy((char *)dest, helper->name, NF_CT_HELPER_NAME_LEN);

		strscpy_pad((char *)dest, helper->name, NF_CT_HELPER_NAME_LEN);

		return;

#ifdef CONFIG_NF_CONNTRACK_LABELS

	case NFT_CT_LABELS: {