From owner-svn-src-head@freebsd.org Tue Nov 3 10:29:48 2015 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5B87BA23C4C; Tue, 3 Nov 2015 10:29:48 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1D7B918CD; Tue, 3 Nov 2015 10:29:48 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id tA3ATl0Z092400; Tue, 3 Nov 2015 10:29:47 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id tA3ATkuD092396; Tue, 3 Nov 2015 10:29:46 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201511031029.tA3ATkuD092396@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 3 Nov 2015 10:29:46 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r290332 - head/sys/netpfil/ipfw X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Nov 2015 10:29:48 -0000 Author: ae Date: Tue Nov 3 10:29:46 2015 New Revision: 290332 URL: https://svnweb.freebsd.org/changeset/base/290332 Log: Add ipfw_check_object_name_generic() function to do basic checks for an object name correctness. Each type of object can do more strict checking in own implementation. Do such checks for tables in check_table_name(). Reviewed by: melifaro Obtained from: Yandex LLC Sponsored by: Yandex LLC Modified: head/sys/netpfil/ipfw/ip_fw_private.h head/sys/netpfil/ipfw/ip_fw_sockopt.c head/sys/netpfil/ipfw/ip_fw_table.c head/sys/netpfil/ipfw/ip_fw_table.h Modified: head/sys/netpfil/ipfw/ip_fw_private.h ============================================================================== --- head/sys/netpfil/ipfw/ip_fw_private.h Tue Nov 3 10:24:54 2015 (r290331) +++ head/sys/netpfil/ipfw/ip_fw_private.h Tue Nov 3 10:29:46 2015 (r290332) @@ -693,6 +693,7 @@ void update_opcode_kidx(ipfw_insn *cmd, int classify_opcode_kidx(ipfw_insn *cmd, uint16_t *puidx); void ipfw_init_srv(struct ip_fw_chain *ch); void ipfw_destroy_srv(struct ip_fw_chain *ch); +int ipfw_check_object_name_generic(const char *name); /* In ip_fw_table.c */ struct table_info; Modified: head/sys/netpfil/ipfw/ip_fw_sockopt.c ============================================================================== --- head/sys/netpfil/ipfw/ip_fw_sockopt.c Tue Nov 3 10:24:54 2015 (r290331) +++ head/sys/netpfil/ipfw/ip_fw_sockopt.c Tue Nov 3 10:29:46 2015 (r290332) @@ -2156,19 +2156,16 @@ cleanup: return (error); } -static int -check_object_name(ipfw_obj_ntlv *ntlv) +int +ipfw_check_object_name_generic(const char *name) { - int error; - - switch (ntlv->head.type) { - case IPFW_TLV_TBL_NAME: - error = ipfw_check_table_name(ntlv->name); - break; - default: - error = ENOTSUP; - } + int nsize; + nsize = sizeof(((ipfw_obj_ntlv *)0)->name); + if (strnlen(name, nsize) == nsize) + return (EINVAL); + if (name[0] == '\0') + return (EINVAL); return (0); } @@ -2483,7 +2480,7 @@ add_rules(struct ip_fw_chain *chain, ip_ if (ntlv->head.length != sizeof(ipfw_obj_ntlv)) return (EINVAL); - error = check_object_name(ntlv); + error = ipfw_check_object_name_generic(ntlv->name); if (error != 0) return (error); Modified: head/sys/netpfil/ipfw/ip_fw_table.c ============================================================================== --- head/sys/netpfil/ipfw/ip_fw_table.c Tue Nov 3 10:24:54 2015 (r290331) +++ head/sys/netpfil/ipfw/ip_fw_table.c Tue Nov 3 10:29:46 2015 (r290332) @@ -115,6 +115,7 @@ static int dump_table_xentry(void *e, vo static int swap_tables(struct ip_fw_chain *ch, struct tid_info *a, struct tid_info *b); +static int check_table_name(const char *name); static int check_table_space(struct ip_fw_chain *ch, struct tableop_state *ts, struct table_config *tc, struct table_info *ti, uint32_t count); static int destroy_table(struct ip_fw_chain *ch, struct tid_info *ti); @@ -1794,7 +1795,7 @@ modify_table(struct ip_fw_chain *ch, ip_ * Check for null-terminated/zero-length strings/ */ tname = oh->ntlv.name; - if (ipfw_check_table_name(tname) != 0) + if (check_table_name(tname) != 0) return (EINVAL); objheader_to_ti(oh, &ti); @@ -1851,7 +1852,7 @@ create_table(struct ip_fw_chain *ch, ip_ */ tname = oh->ntlv.name; aname = i->algoname; - if (ipfw_check_table_name(tname) != 0 || + if (check_table_name(tname) != 0 || strnlen(aname, sizeof(i->algoname)) == sizeof(i->algoname)) return (EINVAL); @@ -2915,25 +2916,14 @@ static struct opcode_obj_rewrite opcodes * * Returns 0 if name is considered valid. */ -int -ipfw_check_table_name(char *name) +static int +check_table_name(const char *name) { - int nsize; - ipfw_obj_ntlv *ntlv = NULL; - - nsize = sizeof(ntlv->name); - - if (strnlen(name, nsize) == nsize) - return (EINVAL); - - if (name[0] == '\0') - return (EINVAL); /* * TODO: do some more complicated checks */ - - return (0); + return (ipfw_check_object_name_generic(name)); } /* @@ -2965,7 +2955,7 @@ find_name_tlv(void *tlvs, int len, uint1 if (ntlv->idx != uidx) continue; - if (ipfw_check_table_name(ntlv->name) != 0) + if (check_table_name(ntlv->name) != 0) return (NULL); return (ntlv); Modified: head/sys/netpfil/ipfw/ip_fw_table.h ============================================================================== --- head/sys/netpfil/ipfw/ip_fw_table.h Tue Nov 3 10:24:54 2015 (r290331) +++ head/sys/netpfil/ipfw/ip_fw_table.h Tue Nov 3 10:29:46 2015 (r290332) @@ -187,7 +187,6 @@ void ipfw_unref_rule_tables(struct ip_fw struct namedobj_instance *ipfw_get_table_objhash(struct ip_fw_chain *ch); /* utility functions */ -int ipfw_check_table_name(char *name); int ipfw_move_tables_sets(struct ip_fw_chain *ch, ipfw_range_tlv *rt, uint32_t new_set); void ipfw_swap_tables_sets(struct ip_fw_chain *ch, uint32_t old_set,