Re: [PATCH net-next 17/20] net/fib_rules: Update fib_nl_dumprule for strict data checking

Sun, 07 Oct 2018 03:55:57 -0700 

On Thu, Oct 04, 2018 at 02:33:52PM -0700, David Ahern wrote:
> From: David Ahern <dsah...@gmail.com>
> 
> Update fib_nl_dumprule for strict data checking. If the flag is set,
> the dump request is expected to have fib_rule_hdr struct as the header.
> All elements of the struct are expected to be 0 and no attributes can
> be appended.
> 
> Signed-off-by: David Ahern <dsah...@gmail.com>

Acked-by: Christian Brauner <christ...@brauner.io>

> ---
>  net/core/fib_rules.c | 36 +++++++++++++++++++++++++++++++++++-
>  1 file changed, 35 insertions(+), 1 deletion(-)
> 
> diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
> index 0ff3953f64aa..e3cf50728d0a 100644
> --- a/net/core/fib_rules.c
> +++ b/net/core/fib_rules.c
> @@ -1063,13 +1063,47 @@ static int dump_rules(struct sk_buff *skb, struct 
> netlink_callback *cb,
>       return err;
>  }
>  
> +static int fib_valid_dumprule(const struct nlmsghdr *nlh,
> +                           struct netlink_ext_ack *extack)
> +{
> +     struct fib_rule_hdr *frh;
> +
> +     if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh))) {
> +             NL_SET_ERR_MSG(extack, "Invalid header");
> +             return -EINVAL;
> +     }
> +
> +     frh = nlmsg_data(nlh);
> +     if (frh->dst_len || frh->src_len || frh->tos || frh->table ||
> +         frh->res1 || frh->res2 || frh->action || frh->flags) {
> +             NL_SET_ERR_MSG(extack,
> +                            "Invalid values in header for dump request");
> +             return -EINVAL;
> +     }
> +
> +     if (nlh->nlmsg_len != nlmsg_msg_size(sizeof(*frh))) {
> +             NL_SET_ERR_MSG(extack, "Invalid data after header");
> +             return -EINVAL;
> +     }
> +
> +     return 0;
> +}
> +
>  static int fib_nl_dumprule(struct sk_buff *skb, struct netlink_callback *cb)
>  {
> +     const struct nlmsghdr *nlh = cb->nlh;
>       struct net *net = sock_net(skb->sk);
>       struct fib_rules_ops *ops;
>       int idx = 0, family;
>  
> -     family = rtnl_msg_family(cb->nlh);
> +     if (cb->strict_check) {
> +             int err = fib_valid_dumprule(nlh, cb->extack);
> +
> +             if (err)
> +                     return err;
> +     }
> +
> +     family = rtnl_msg_family(nlh);
>       if (family != AF_UNSPEC) {
>               /* Protocol specific dump request */
>               ops = lookup_rules_ops(net, family);
> -- 
> 2.11.0
>

Reply via email to