Página inicial Explorar Ajuda
Registrar Entrar
phyus
/
linux-vybrid_public
8
0
Fork 0
Arquivos Issues 0 Pull Requests 0 Wiki
Ver código fonte

[NETFILTER]: Change {ip,ip6,arp}_tables to use centralized error checking

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy 19 anos atrás
pai
37f9f7334b
commit
3cdc7c953e
3 arquivos alterados com 50 adições e 13 exclusões
Visão dividida Mostrar estatísticas do Diff
  1. 8 3
      net/ipv4/netfilter/arp_tables.c
  2. 21 5
      net/ipv4/netfilter/ip_tables.c
  3. 21 5
      net/ipv6/netfilter/ip6_tables.c

+ 8 - 3
net/ipv4/netfilter/arp_tables.c
Ver arquivo 

@@ -480,6 +480,11 @@ static inline int check_entry(struct arpt_entry *e, const char *name, unsigned i
 
 	}
 
 	t->u.kernel.target = target;
 
 
+	ret = xt_check_target(target, NF_ARP, t->u.target_size - sizeof(*t),
 
+			      name, e->comefrom, 0, 0);
 
+	if (ret)
 
+		goto err;
 
+
 
 	if (t->u.kernel.target == &arpt_standard_target) {
 
 		if (!standard_check(t, size)) {
 
 			ret = -EINVAL;
 
@@ -490,16 +495,16 @@ static inline int check_entry(struct arpt_entry *e, const char *name, unsigned i
 
 						      t->u.target_size
 
 						      - sizeof(*t),
 
 						      e->comefrom)) {
 
-		module_put(t->u.kernel.target->me);
 
 		duprintf("arp_tables: check failed for `%s'.\n",
 
 			 t->u.kernel.target->name);
 
 		ret = -EINVAL;
 
-		goto out;
 
+		goto err;
 
 	}
 
 
 	(*i)++;
 
 	return 0;
 
-
 
+err:
 
+	module_put(t->u.kernel.target->me);
 
 out:
 
 	return ret;
 
 }

+ 21 - 5
net/ipv4/netfilter/ip_tables.c
Ver arquivo 

@@ -508,6 +508,7 @@ check_match(struct ipt_entry_match *m,
 
 	    unsigned int *i)
 
 {
 
 	struct ipt_match *match;
 
+	int ret;
 
 
 	match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
 
 						   m->u.user.revision),
 
@@ -518,18 +519,27 @@ check_match(struct ipt_entry_match *m,
 
 	}
 
 	m->u.kernel.match = match;
 
 
+	ret = xt_check_match(match, AF_INET, m->u.match_size - sizeof(*m),
 
+			     name, hookmask, ip->proto,
 
+			     ip->invflags & IPT_INV_PROTO);
 
+	if (ret)
 
+		goto err;
 
+
 
 	if (m->u.kernel.match->checkentry
 
 	    && !m->u.kernel.match->checkentry(name, ip, m->data,
 
 					      m->u.match_size - sizeof(*m),
 
 					      hookmask)) {
 
-		module_put(m->u.kernel.match->me);
 
 		duprintf("ip_tables: check failed for `%s'.\n",
 
 			 m->u.kernel.match->name);
 
-		return -EINVAL;
 
+		ret = -EINVAL;
 
+		goto err;
 
 	}
 
 
 	(*i)++;
 
 	return 0;
 
+err:
 
+	module_put(m->u.kernel.match->me);
 
+	return ret;
 
 }
 
 
 static struct ipt_target ipt_standard_target;
 
@@ -565,6 +575,12 @@ check_entry(struct ipt_entry *e, const char *name, unsigned int size,
 
 	}
 
 	t->u.kernel.target = target;
 
 
+	ret = xt_check_target(target, AF_INET, t->u.target_size - sizeof(*t),
 
+			      name, e->comefrom, e->ip.proto,
 
+			      e->ip.invflags & IPT_INV_PROTO);
 
+	if (ret)
 
+		goto err;
 
+
 
 	if (t->u.kernel.target == &ipt_standard_target) {
 
 		if (!standard_check(t, size)) {
 
 			ret = -EINVAL;
 
@@ -575,16 +591,16 @@ check_entry(struct ipt_entry *e, const char *name, unsigned int size,
 
 						      t->u.target_size
 
 						      - sizeof(*t),
 
 						      e->comefrom)) {
 
-		module_put(t->u.kernel.target->me);
 
 		duprintf("ip_tables: check failed for `%s'.\n",
 
 			 t->u.kernel.target->name);
 
 		ret = -EINVAL;
 
-		goto cleanup_matches;
 
+		goto err;
 
 	}
 
 
 	(*i)++;
 
 	return 0;
 
-
 
+ err:
 
+	module_put(t->u.kernel.target->me);
 
  cleanup_matches:
 
 	IPT_MATCH_ITERATE(e, cleanup_match, &j);
 
 	return ret;

+ 21 - 5
net/ipv6/netfilter/ip6_tables.c
Ver arquivo 

@@ -575,6 +575,7 @@ check_match(struct ip6t_entry_match *m,
 
 	    unsigned int *i)
 
 {
 
 	struct ip6t_match *match;
 
+	int ret;
 
 
 	match = try_then_request_module(xt_find_match(AF_INET6, m->u.user.name,
 
 			      		m->u.user.revision),
 
@@ -585,18 +586,27 @@ check_match(struct ip6t_entry_match *m,
 
 	}
 
 	m->u.kernel.match = match;
 
 
+	ret = xt_check_match(match, AF_INET6, m->u.match_size - sizeof(*m),
 
+			     name, hookmask, ipv6->proto,
 
+			     ipv6->invflags & IP6T_INV_PROTO);
 
+	if (ret)
 
+		goto err;
 
+
 
 	if (m->u.kernel.match->checkentry
 
 	    && !m->u.kernel.match->checkentry(name, ipv6, m->data,
 
 					      m->u.match_size - sizeof(*m),
 
 					      hookmask)) {
 
-		module_put(m->u.kernel.match->me);
 
 		duprintf("ip_tables: check failed for `%s'.\n",
 
 			 m->u.kernel.match->name);
 
-		return -EINVAL;
 
+		ret = -EINVAL;
 
+		goto err;
 
 	}
 
 
 	(*i)++;
 
 	return 0;
 
+err:
 
+	module_put(m->u.kernel.match->me);
 
+	return ret;
 
 }
 
 
 static struct ip6t_target ip6t_standard_target;
 
@@ -632,6 +642,12 @@ check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
 
 	}
 
 	t->u.kernel.target = target;
 
 
+	ret = xt_check_target(target, AF_INET6, t->u.target_size - sizeof(*t),
 
+			      name, e->comefrom, e->ipv6.proto,
 
+			      e->ipv6.invflags & IP6T_INV_PROTO);
 
+	if (ret)
 
+		goto err;
 
+
 
 	if (t->u.kernel.target == &ip6t_standard_target) {
 
 		if (!standard_check(t, size)) {
 
 			ret = -EINVAL;
 
@@ -642,16 +658,16 @@ check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
 
 						      t->u.target_size
 
 						      - sizeof(*t),
 
 						      e->comefrom)) {
 
-		module_put(t->u.kernel.target->me);
 
 		duprintf("ip_tables: check failed for `%s'.\n",
 
 			 t->u.kernel.target->name);
 
 		ret = -EINVAL;
 
-		goto cleanup_matches;
 
+		goto err;
 
 	}
 
 
 	(*i)++;
 
 	return 0;
 
-
 
+ err:
 
+	module_put(t->u.kernel.target->me);
 
  cleanup_matches:
 
 	IP6T_MATCH_ITERATE(e, cleanup_match, &j);
 
 	return ret;