diff options
| author | ae <ae@FreeBSD.org> | 2015-11-03 10:29:46 +0000 |
|---|---|---|
| committer | ae <ae@FreeBSD.org> | 2015-11-03 10:29:46 +0000 |
| commit | f4da06a164348aa3238344233e027dd635535865 (patch) | |
| tree | a41018c4566740f3ca819f740beab8384472fcd1 /sys/netpfil | |
| parent | 750b62ddbe83065a7addaeebf7b25c178265dc35 (diff) | |
| download | FreeBSD-src-f4da06a164348aa3238344233e027dd635535865.zip FreeBSD-src-f4da06a164348aa3238344233e027dd635535865.tar.gz | |
Add ipfw_check_object_name_generic() function to do basic checks for an
object name correctness. Each type of object can do more strict checking
in own implementation. Do such checks for tables in check_table_name().
Reviewed by: melifaro
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
Diffstat (limited to 'sys/netpfil')
| -rw-r--r-- | sys/netpfil/ipfw/ip_fw_private.h | 1 | ||||
| -rw-r--r-- | sys/netpfil/ipfw/ip_fw_sockopt.c | 21 | ||||
| -rw-r--r-- | sys/netpfil/ipfw/ip_fw_table.c | 24 | ||||
| -rw-r--r-- | sys/netpfil/ipfw/ip_fw_table.h | 1 |
4 files changed, 17 insertions, 30 deletions
diff --git a/sys/netpfil/ipfw/ip_fw_private.h b/sys/netpfil/ipfw/ip_fw_private.h index 0950c4c..b36ca3f 100644 --- a/sys/netpfil/ipfw/ip_fw_private.h +++ b/sys/netpfil/ipfw/ip_fw_private.h @@ -693,6 +693,7 @@ void update_opcode_kidx(ipfw_insn *cmd, uint16_t idx); int classify_opcode_kidx(ipfw_insn *cmd, uint16_t *puidx); void ipfw_init_srv(struct ip_fw_chain *ch); void ipfw_destroy_srv(struct ip_fw_chain *ch); +int ipfw_check_object_name_generic(const char *name); /* In ip_fw_table.c */ struct table_info; diff --git a/sys/netpfil/ipfw/ip_fw_sockopt.c b/sys/netpfil/ipfw/ip_fw_sockopt.c index 3e2ae93..6fbce0c 100644 --- a/sys/netpfil/ipfw/ip_fw_sockopt.c +++ b/sys/netpfil/ipfw/ip_fw_sockopt.c @@ -2156,19 +2156,16 @@ cleanup: return (error); } -static int -check_object_name(ipfw_obj_ntlv *ntlv) +int +ipfw_check_object_name_generic(const char *name) { - int error; - - switch (ntlv->head.type) { - case IPFW_TLV_TBL_NAME: - error = ipfw_check_table_name(ntlv->name); - break; - default: - error = ENOTSUP; - } + int nsize; + nsize = sizeof(((ipfw_obj_ntlv *)0)->name); + if (strnlen(name, nsize) == nsize) + return (EINVAL); + if (name[0] == '\0') + return (EINVAL); return (0); } @@ -2483,7 +2480,7 @@ add_rules(struct ip_fw_chain *chain, ip_fw3_opheader *op3, if (ntlv->head.length != sizeof(ipfw_obj_ntlv)) return (EINVAL); - error = check_object_name(ntlv); + error = ipfw_check_object_name_generic(ntlv->name); if (error != 0) return (error); diff --git a/sys/netpfil/ipfw/ip_fw_table.c b/sys/netpfil/ipfw/ip_fw_table.c index f942541..974822c 100644 --- a/sys/netpfil/ipfw/ip_fw_table.c +++ b/sys/netpfil/ipfw/ip_fw_table.c @@ -115,6 +115,7 @@ static int dump_table_xentry(void *e, void *arg); static int swap_tables(struct ip_fw_chain *ch, struct tid_info *a, struct tid_info *b); +static int check_table_name(const char *name); static int check_table_space(struct ip_fw_chain *ch, struct tableop_state *ts, struct table_config *tc, struct table_info *ti, uint32_t count); static int destroy_table(struct ip_fw_chain *ch, struct tid_info *ti); @@ -1794,7 +1795,7 @@ modify_table(struct ip_fw_chain *ch, ip_fw3_opheader *op3, * Check for null-terminated/zero-length strings/ */ tname = oh->ntlv.name; - if (ipfw_check_table_name(tname) != 0) + if (check_table_name(tname) != 0) return (EINVAL); objheader_to_ti(oh, &ti); @@ -1851,7 +1852,7 @@ create_table(struct ip_fw_chain *ch, ip_fw3_opheader *op3, */ tname = oh->ntlv.name; aname = i->algoname; - if (ipfw_check_table_name(tname) != 0 || + if (check_table_name(tname) != 0 || strnlen(aname, sizeof(i->algoname)) == sizeof(i->algoname)) return (EINVAL); @@ -2915,25 +2916,14 @@ static struct opcode_obj_rewrite opcodes[] = { * * Returns 0 if name is considered valid. */ -int -ipfw_check_table_name(char *name) +static int +check_table_name(const char *name) { - int nsize; - ipfw_obj_ntlv *ntlv = NULL; - - nsize = sizeof(ntlv->name); - - if (strnlen(name, nsize) == nsize) - return (EINVAL); - - if (name[0] == '\0') - return (EINVAL); /* * TODO: do some more complicated checks */ - - return (0); + return (ipfw_check_object_name_generic(name)); } /* @@ -2965,7 +2955,7 @@ find_name_tlv(void *tlvs, int len, uint16_t uidx) if (ntlv->idx != uidx) continue; - if (ipfw_check_table_name(ntlv->name) != 0) + if (check_table_name(ntlv->name) != 0) return (NULL); return (ntlv); diff --git a/sys/netpfil/ipfw/ip_fw_table.h b/sys/netpfil/ipfw/ip_fw_table.h index ca49fd4..d657848 100644 --- a/sys/netpfil/ipfw/ip_fw_table.h +++ b/sys/netpfil/ipfw/ip_fw_table.h @@ -187,7 +187,6 @@ void ipfw_unref_rule_tables(struct ip_fw_chain *chain, struct ip_fw *rule); struct namedobj_instance *ipfw_get_table_objhash(struct ip_fw_chain *ch); /* utility functions */ -int ipfw_check_table_name(char *name); int ipfw_move_tables_sets(struct ip_fw_chain *ch, ipfw_range_tlv *rt, uint32_t new_set); void ipfw_swap_tables_sets(struct ip_fw_chain *ch, uint32_t old_set, |
