git.baikalelectronics.ru Git - kernel.git/commit

author	Liping Zhang <zlpnobody@gmail.com>
	Fri, 20 Jan 2017 13:03:03 +0000 (21:03 +0800)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 23 Jan 2017 22:36:50 +0000 (23:36 +0100)
commit	62c3f0b8ffdc7a211554bec3162fb7798dfc2b5e
tree	7abd176fd1fd381b3bb355affb8bbaad268bb2f5	tree \| snapshot
parent	afb886e705516b3ebfdba244fed0f6b59d4786f5	commit \| diff

netfilter: nf_tables: validate the name size when possible

Currently, if the user add a stateful object with the name size exceed
NFT_OBJ_MAXNAMELEN - 1 (i.e. 31), we truncate it down to 31 silently.
This is not friendly, furthermore, this will cause duplicated stateful
objects when the first 31 characters of the name is same. So limit the
stateful object's name size to NFT_OBJ_MAXNAMELEN - 1.

After apply this patch, error message will be printed out like this:
  # name_32=$(printf "%0.sQ" {1..32})
  # nft add counter filter $name_32
  <cmdline>:1:1-52: Error: Could not process rule: Numerical result out
  of range
  add counter filter QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Also this patch cleans up the codes which missing the name size limit
validation in nftables.

Fixes: d1eb7c6c809a ("netfilter: nf_tables: add stateful objects")
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

net/netfilter/nf_tables_api.c		diff \| blob \| history
net/netfilter/nft_dynset.c		diff \| blob \| history
net/netfilter/nft_lookup.c		diff \| blob \| history
net/netfilter/nft_objref.c		diff \| blob \| history