License cleanup: add SPDX GPL-2.0 license identifier to files with no license
Many source files in the tree are missing licensing information, which
makes it harder for compliance tools to determine the correct license.
By default all files without license information are under the default
license of the kernel, which is GPL version 2.
Update the files which contain no license information with the 'GPL-2.0'
SPDX license identifier. The SPDX identifier is a legally binding
shorthand, which can be used instead of the full boiler plate text.
This patch is based on work done by Thomas Gleixner and Kate Stewart and
Philippe Ombredanne.
How this work was done:
Patches were generated and checked against linux-4.14-rc6 for a subset of
the use cases:
- file had no licensing information it it.
- file was a */uapi/* one with no licensing information in it,
- file was a */uapi/* one with existing licensing information,
Further patches will be generated in subsequent months to fix up cases
where non-standard license headers were used, and references to license
had to be inferred by heuristics based on keywords.
The analysis to determine which SPDX License Identifier to be applied to
a file was done in a spreadsheet of side by side results from of the
output of two independent scanners (ScanCode & Windriver) producing SPDX
tag:value files created by Philippe Ombredanne. Philippe prepared the
base worksheet, and did an initial spot review of a few 1000 files.
The 4.13 kernel was the starting point of the analysis with 60,537 files
assessed. Kate Stewart did a file by file comparison of the scanner
results in the spreadsheet to determine which SPDX license identifier(s)
to be applied to the file. She confirmed any determination that was not
immediately clear with lawyers working with the Linux Foundation.
Criteria used to select files for SPDX license identifier tagging was:
- Files considered eligible had to be source code files.
- Make and config files were included as candidates if they contained >5
lines of source
- File already had some variant of a license header in it (even if <5
lines).
All documentation files were explicitly excluded.
The following heuristics were used to determine which SPDX license
identifiers to apply.
- when both scanners couldn't find any license traces, file was
considered to have no license information in it, and the top level
COPYING file license applied.
For non */uapi/* files that summary was:
SPDX license identifier # files
---------------------------------------------------|-------
GPL-2.0 11139
and resulted in the first patch in this series.
If that file was a */uapi/* path one, it was "GPL-2.0 WITH
Linux-syscall-note" otherwise it was "GPL-2.0". Results of that was:
SPDX license identifier # files
---------------------------------------------------|-------
GPL-2.0 WITH Linux-syscall-note 930
and resulted in the second patch in this series.
- if a file had some form of licensing information in it, and was one
of the */uapi/* ones, it was denoted with the Linux-syscall-note if
any GPL family license was found in the file or had no licensing in
it (per prior point). Results summary:
SPDX license identifier # files
---------------------------------------------------|------
GPL-2.0 WITH Linux-syscall-note 270
GPL-2.0+ WITH Linux-syscall-note 169
((GPL-2.0 WITH Linux-syscall-note) OR BSD-2-Clause) 21
((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) 17
LGPL-2.1+ WITH Linux-syscall-note 15
GPL-1.0+ WITH Linux-syscall-note 14
((GPL-2.0+ WITH Linux-syscall-note) OR BSD-3-Clause) 5
LGPL-2.0+ WITH Linux-syscall-note 4
LGPL-2.1 WITH Linux-syscall-note 3
((GPL-2.0 WITH Linux-syscall-note) OR MIT) 3
((GPL-2.0 WITH Linux-syscall-note) AND MIT) 1
and that resulted in the third patch in this series.
- when the two scanners agreed on the detected license(s), that became
the concluded license(s).
- when there was disagreement between the two scanners (one detected a
license but the other didn't, or they both detected different
licenses) a manual inspection of the file occurred.
- In most cases a manual inspection of the information in the file
resulted in a clear resolution of the license that should apply (and
which scanner probably needed to revisit its heuristics).
- When it was not immediately clear, the license identifier was
confirmed with lawyers working with the Linux Foundation.
- If there was any question as to the appropriate license identifier,
the file was flagged for further research and to be revisited later
in time.
In total, over 70 hours of logged manual review was done on the
spreadsheet to determine the SPDX license identifiers to apply to the
source files by Kate, Philippe, Thomas and, in some cases, confirmation
by lawyers working with the Linux Foundation.
Kate also obtained a third independent scan of the 4.13 code base from
FOSSology, and compared selected files where the other two scanners
disagreed against that SPDX file, to see if there was new insights. The
Windriver scanner is based on an older version of FOSSology in part, so
they are related.
Thomas did random spot checks in about 500 files from the spreadsheets
for the uapi headers and agreed with SPDX license identifier in the
files he inspected. For the non-uapi files Thomas did random spot checks
in about 15000 files.
In initial set of patches against 4.14-rc6, 3 files were found to have
copy/paste license identifier errors, and have been fixed to reflect the
correct identifier.
Additionally Philippe spent 10 hours this week doing a detailed manual
inspection and review of the 12,461 patched files from the initial patch
version early this week with:
- a full scancode scan run, collecting the matched texts, detected
license ids and scores
- reviewing anything where there was a license detected (about 500+
files) to ensure that the applied SPDX license was correct
- reviewing anything where there was no detection but the patch license
was not GPL-2.0 WITH Linux-syscall-note to ensure that the applied
SPDX license was correct
This produced a worksheet with 20 files needing minor correction. This
worksheet was then exported into 3 different .csv files for the
different types of files to be modified.
These .csv files were then reviewed by Greg. Thomas wrote a script to
parse the csv files and add the proper SPDX tag to the file, in the
format that the file expected. This script was further refined by Greg
based on the output to detect more types of files automatically and to
distinguish between header and source .c files (which need different
comment types.) Finally Greg ran the script using the .csv files to
generate the patches.
Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org>
Reviewed-by: Philippe Ombredanne <pombredanne@nexb.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-11-01 14:07:57 +00:00
|
|
|
// SPDX-License-Identifier: GPL-2.0
|
2005-11-10 01:25:51 +00:00
|
|
|
/*
|
|
|
|
|
* NETLINK Netlink attributes
|
|
|
|
|
*
|
|
|
|
|
* Authors: Thomas Graf <tgraf@suug.ch>
|
|
|
|
|
* Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
|
|
|
|
|
*/
|
|
|
|
|
|
2011-11-17 02:29:17 +00:00
|
|
|
#include <linux/export.h>
|
2005-11-10 01:25:51 +00:00
|
|
|
#include <linux/kernel.h>
|
|
|
|
|
#include <linux/errno.h>
|
|
|
|
|
#include <linux/jiffies.h>
|
2023-01-19 11:01:50 +00:00
|
|
|
#include <linux/nospec.h>
|
2005-11-10 01:25:51 +00:00
|
|
|
#include <linux/skbuff.h>
|
|
|
|
|
#include <linux/string.h>
|
|
|
|
|
#include <linux/types.h>
|
|
|
|
|
#include <net/netlink.h>
|
|
|
|
|
|
2017-12-07 04:09:12 +00:00
|
|
|
/* For these data types, attribute length should be exactly the given
|
|
|
|
|
* size. However, to maintain compatibility with broken commands, if the
|
|
|
|
|
* attribute length does not match the expected size a warning is emitted
|
|
|
|
|
* to the user that the command is sending invalid data and needs to be fixed.
|
|
|
|
|
*/
|
2017-11-08 05:59:40 +00:00
|
|
|
static const u8 nla_attr_len[NLA_TYPE_MAX+1] = {
|
2005-11-10 01:25:51 +00:00
|
|
|
[NLA_U8] = sizeof(u8),
|
|
|
|
|
[NLA_U16] = sizeof(u16),
|
|
|
|
|
[NLA_U32] = sizeof(u32),
|
|
|
|
|
[NLA_U64] = sizeof(u64),
|
2012-08-25 22:47:57 +00:00
|
|
|
[NLA_S8] = sizeof(s8),
|
|
|
|
|
[NLA_S16] = sizeof(s16),
|
|
|
|
|
[NLA_S32] = sizeof(s32),
|
|
|
|
|
[NLA_S64] = sizeof(s64),
|
2024-02-21 17:27:33 +00:00
|
|
|
[NLA_BE16] = sizeof(__be16),
|
|
|
|
|
[NLA_BE32] = sizeof(__be32),
|
2005-11-10 01:25:51 +00:00
|
|
|
};
|
|
|
|
|
|
2017-11-08 05:59:40 +00:00
|
|
|
static const u8 nla_attr_minlen[NLA_TYPE_MAX+1] = {
|
2017-12-07 04:09:12 +00:00
|
|
|
[NLA_U8] = sizeof(u8),
|
|
|
|
|
[NLA_U16] = sizeof(u16),
|
|
|
|
|
[NLA_U32] = sizeof(u32),
|
|
|
|
|
[NLA_U64] = sizeof(u64),
|
2017-11-08 05:59:40 +00:00
|
|
|
[NLA_MSECS] = sizeof(u64),
|
|
|
|
|
[NLA_NESTED] = NLA_HDRLEN,
|
2017-12-07 04:09:12 +00:00
|
|
|
[NLA_S8] = sizeof(s8),
|
|
|
|
|
[NLA_S16] = sizeof(s16),
|
|
|
|
|
[NLA_S32] = sizeof(s32),
|
|
|
|
|
[NLA_S64] = sizeof(s64),
|
2024-02-21 17:27:33 +00:00
|
|
|
[NLA_BE16] = sizeof(__be16),
|
|
|
|
|
[NLA_BE32] = sizeof(__be32),
|
2017-11-08 05:59:40 +00:00
|
|
|
};
|
|
|
|
|
|
2020-04-30 20:13:06 +00:00
|
|
|
/*
|
|
|
|
|
* Nested policies might refer back to the original
|
|
|
|
|
* policy in some cases, and userspace could try to
|
|
|
|
|
* abuse that and recurse by nesting in the right
|
|
|
|
|
* ways. Limit recursion to avoid this problem.
|
|
|
|
|
*/
|
|
|
|
|
#define MAX_POLICY_RECURSION_DEPTH 10
|
|
|
|
|
|
|
|
|
|
static int __nla_validate_parse(const struct nlattr *head, int len, int maxtype,
|
|
|
|
|
const struct nla_policy *policy,
|
|
|
|
|
unsigned int validate,
|
|
|
|
|
struct netlink_ext_ack *extack,
|
|
|
|
|
struct nlattr **tb, unsigned int depth);
|
|
|
|
|
|
2017-07-30 17:24:49 +00:00
|
|
|
static int validate_nla_bitfield32(const struct nlattr *nla,
|
2020-04-30 20:13:05 +00:00
|
|
|
const u32 valid_flags_mask)
|
2017-07-30 17:24:49 +00:00
|
|
|
{
|
|
|
|
|
const struct nla_bitfield32 *bf = nla_data(nla);
|
|
|
|
|
|
2018-09-26 09:15:31 +00:00
|
|
|
if (!valid_flags_mask)
|
2017-07-30 17:24:49 +00:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
/*disallow invalid bit selector */
|
2020-04-30 20:13:05 +00:00
|
|
|
if (bf->selector & ~valid_flags_mask)
|
2017-07-30 17:24:49 +00:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
/*disallow invalid bit values */
|
2020-04-30 20:13:05 +00:00
|
|
|
if (bf->value & ~valid_flags_mask)
|
2017-07-30 17:24:49 +00:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
/*disallow valid bit values that are not selected*/
|
|
|
|
|
if (bf->value & ~bf->selector)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-26 09:15:34 +00:00
|
|
|
static int nla_validate_array(const struct nlattr *head, int len, int maxtype,
|
|
|
|
|
const struct nla_policy *policy,
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 12:07:28 +00:00
|
|
|
struct netlink_ext_ack *extack,
|
2020-04-30 20:13:06 +00:00
|
|
|
unsigned int validate, unsigned int depth)
|
2018-09-26 09:15:34 +00:00
|
|
|
{
|
|
|
|
|
const struct nlattr *entry;
|
|
|
|
|
int rem;
|
|
|
|
|
|
|
|
|
|
nla_for_each_attr(entry, head, len, rem) {
|
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
if (nla_len(entry) == 0)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
if (nla_len(entry) < NLA_HDRLEN) {
|
2020-10-08 10:45:17 +00:00
|
|
|
NL_SET_ERR_MSG_ATTR_POL(extack, entry, policy,
|
|
|
|
|
"Array element too short");
|
2018-09-26 09:15:34 +00:00
|
|
|
return -ERANGE;
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-30 20:13:06 +00:00
|
|
|
ret = __nla_validate_parse(nla_data(entry), nla_len(entry),
|
|
|
|
|
maxtype, policy, validate, extack,
|
|
|
|
|
NULL, depth + 1);
|
2018-09-26 09:15:34 +00:00
|
|
|
if (ret < 0)
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-30 20:13:11 +00:00
|
|
|
void nla_get_range_unsigned(const struct nla_policy *pt,
|
|
|
|
|
struct netlink_range_validation *range)
|
netlink: add attribute range validation to policy
Without further bloating the policy structs, we can overload
the `validation_data' pointer with a struct of s16 min, max
and use those to validate ranges in NLA_{U,S}{8,16,32,64}
attributes.
It may sound strange to validate NLA_U32 with a s16 max, but
in many cases NLA_U32 is used for enums etc. since there's no
size benefit in using a smaller attribute width anyway, due
to netlink attribute alignment; in cases like that it's still
useful, particularly when the attribute really transports an
enum value.
Doing so lets us remove quite a bit of validation code, if we
can be sure that these attributes aren't used by userspace in
places where they're ignored today.
To achieve all this, split the 'type' field and introduce a
new 'validation_type' field which indicates what further
validation (beyond the validation prescribed by the type of
the attribute) is done. This currently allows for no further
validation (the default), as well as min, max and range checks.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-27 09:28:35 +00:00
|
|
|
{
|
2020-04-30 20:13:08 +00:00
|
|
|
WARN_ON_ONCE(pt->validation_type != NLA_VALIDATE_RANGE_PTR &&
|
|
|
|
|
(pt->min < 0 || pt->max < 0));
|
|
|
|
|
|
2020-04-30 20:13:11 +00:00
|
|
|
range->min = 0;
|
|
|
|
|
|
|
|
|
|
switch (pt->type) {
|
|
|
|
|
case NLA_U8:
|
|
|
|
|
range->max = U8_MAX;
|
|
|
|
|
break;
|
|
|
|
|
case NLA_U16:
|
2022-10-31 12:34:07 +00:00
|
|
|
case NLA_BE16:
|
netlink: make NLA_BINARY validation more flexible
Add range validation for NLA_BINARY, allowing validation of any
combination of combination minimum or maximum lengths, using the
existing NLA_POLICY_RANGE()/NLA_POLICY_FULL_RANGE() macros, just
like for integers where the value is checked.
Also make NLA_POLICY_EXACT_LEN(), NLA_POLICY_EXACT_LEN_WARN()
and NLA_POLICY_MIN_LEN() special cases of this, removing the old
types NLA_EXACT_LEN and NLA_MIN_LEN.
This allows us to save some code where both minimum and maximum
lengths are requires, currently the policy only allows maximum
(NLA_BINARY), minimum (NLA_MIN_LEN) or exact (NLA_EXACT_LEN), so
a range of lengths cannot be accepted and must be checked by the
code that consumes the attributes later.
Also, this allows advertising the correct ranges in the policy
export to userspace. Here, NLA_MIN_LEN and NLA_EXACT_LEN already
were special cases of NLA_BINARY with min and min/max length
respectively.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-08-18 08:17:33 +00:00
|
|
|
case NLA_BINARY:
|
2020-04-30 20:13:11 +00:00
|
|
|
range->max = U16_MAX;
|
|
|
|
|
break;
|
|
|
|
|
case NLA_U32:
|
2022-10-31 12:34:07 +00:00
|
|
|
case NLA_BE32:
|
2020-04-30 20:13:11 +00:00
|
|
|
range->max = U32_MAX;
|
|
|
|
|
break;
|
|
|
|
|
case NLA_U64:
|
netlink: add variable-length / auto integers
We currently push everyone to use padding to align 64b values
in netlink. Un-padded nla_put_u64() doesn't even exist any more.
The story behind this possibly start with this thread:
https://lore.kernel.org/netdev/20121204.130914.1457976839967676240.davem@davemloft.net/
where DaveM was concerned about the alignment of a structure
containing 64b stats. If user space tries to access such struct
directly:
struct some_stats *stats = nla_data(attr);
printf("A: %llu", stats->a);
lack of alignment may become problematic for some architectures.
These days we most often put every single member in a separate
attribute, meaning that the code above would use a helper like
nla_get_u64(), which can deal with alignment internally.
Even for arches which don't have good unaligned access - access
aligned to 4B should be pretty efficient.
Kernel and well known libraries deal with unaligned input already.
Padded 64b is quite space-inefficient (64b + pad means at worst 16B
per attr vs 32b which takes 8B). It is also more typing:
if (nla_put_u64_pad(rsp, NETDEV_A_SOMETHING_SOMETHING,
value, NETDEV_A_SOMETHING_PAD))
Create a new attribute type which will use 32 bits at netlink
level if value is small enough (probably most of the time?),
and (4B-aligned) 64 bits otherwise. Kernel API is just:
if (nla_put_uint(rsp, NETDEV_A_SOMETHING_SOMETHING, value))
Calling this new type "just" sint / uint with no specific size
will hopefully also make people more comfortable with using it.
Currently telling people "don't use u8, you may need the bits,
and netlink will round up to 4B, anyway" is the #1 comment
we give to newcomers.
In terms of netlink layout it looks like this:
0 4 8 12 16
32b: [nlattr][ u32 ]
64b: [ pad ][nlattr][ u64 ]
uint(32) [nlattr][ u32 ]
uint(64) [nlattr][ u64 ]
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2023-10-18 21:39:20 +00:00
|
|
|
case NLA_UINT:
|
2020-04-30 20:13:11 +00:00
|
|
|
case NLA_MSECS:
|
|
|
|
|
range->max = U64_MAX;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
WARN_ON_ONCE(1);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-30 20:13:08 +00:00
|
|
|
switch (pt->validation_type) {
|
|
|
|
|
case NLA_VALIDATE_RANGE:
|
netlink: make NLA_BINARY validation more flexible
Add range validation for NLA_BINARY, allowing validation of any
combination of combination minimum or maximum lengths, using the
existing NLA_POLICY_RANGE()/NLA_POLICY_FULL_RANGE() macros, just
like for integers where the value is checked.
Also make NLA_POLICY_EXACT_LEN(), NLA_POLICY_EXACT_LEN_WARN()
and NLA_POLICY_MIN_LEN() special cases of this, removing the old
types NLA_EXACT_LEN and NLA_MIN_LEN.
This allows us to save some code where both minimum and maximum
lengths are requires, currently the policy only allows maximum
(NLA_BINARY), minimum (NLA_MIN_LEN) or exact (NLA_EXACT_LEN), so
a range of lengths cannot be accepted and must be checked by the
code that consumes the attributes later.
Also, this allows advertising the correct ranges in the policy
export to userspace. Here, NLA_MIN_LEN and NLA_EXACT_LEN already
were special cases of NLA_BINARY with min and min/max length
respectively.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-08-18 08:17:33 +00:00
|
|
|
case NLA_VALIDATE_RANGE_WARN_TOO_LONG:
|
2020-04-30 20:13:08 +00:00
|
|
|
range->min = pt->min;
|
|
|
|
|
range->max = pt->max;
|
|
|
|
|
break;
|
|
|
|
|
case NLA_VALIDATE_RANGE_PTR:
|
2020-04-30 20:13:11 +00:00
|
|
|
*range = *pt->range;
|
2020-04-30 20:13:08 +00:00
|
|
|
break;
|
|
|
|
|
case NLA_VALIDATE_MIN:
|
|
|
|
|
range->min = pt->min;
|
|
|
|
|
break;
|
|
|
|
|
case NLA_VALIDATE_MAX:
|
|
|
|
|
range->max = pt->max;
|
|
|
|
|
break;
|
2020-04-30 20:13:11 +00:00
|
|
|
default:
|
|
|
|
|
break;
|
2020-04-30 20:13:08 +00:00
|
|
|
}
|
2020-04-30 20:13:11 +00:00
|
|
|
}
|
|
|
|
|
|
netlink: make NLA_BINARY validation more flexible
Add range validation for NLA_BINARY, allowing validation of any
combination of combination minimum or maximum lengths, using the
existing NLA_POLICY_RANGE()/NLA_POLICY_FULL_RANGE() macros, just
like for integers where the value is checked.
Also make NLA_POLICY_EXACT_LEN(), NLA_POLICY_EXACT_LEN_WARN()
and NLA_POLICY_MIN_LEN() special cases of this, removing the old
types NLA_EXACT_LEN and NLA_MIN_LEN.
This allows us to save some code where both minimum and maximum
lengths are requires, currently the policy only allows maximum
(NLA_BINARY), minimum (NLA_MIN_LEN) or exact (NLA_EXACT_LEN), so
a range of lengths cannot be accepted and must be checked by the
code that consumes the attributes later.
Also, this allows advertising the correct ranges in the policy
export to userspace. Here, NLA_MIN_LEN and NLA_EXACT_LEN already
were special cases of NLA_BINARY with min and min/max length
respectively.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-08-18 08:17:33 +00:00
|
|
|
static int nla_validate_range_unsigned(const struct nla_policy *pt,
|
|
|
|
|
const struct nlattr *nla,
|
|
|
|
|
struct netlink_ext_ack *extack,
|
|
|
|
|
unsigned int validate)
|
2020-04-30 20:13:11 +00:00
|
|
|
{
|
|
|
|
|
struct netlink_range_validation range;
|
|
|
|
|
u64 value;
|
netlink: add attribute range validation to policy
Without further bloating the policy structs, we can overload
the `validation_data' pointer with a struct of s16 min, max
and use those to validate ranges in NLA_{U,S}{8,16,32,64}
attributes.
It may sound strange to validate NLA_U32 with a s16 max, but
in many cases NLA_U32 is used for enums etc. since there's no
size benefit in using a smaller attribute width anyway, due
to netlink attribute alignment; in cases like that it's still
useful, particularly when the attribute really transports an
enum value.
Doing so lets us remove quite a bit of validation code, if we
can be sure that these attributes aren't used by userspace in
places where they're ignored today.
To achieve all this, split the 'type' field and introduce a
new 'validation_type' field which indicates what further
validation (beyond the validation prescribed by the type of
the attribute) is done. This currently allows for no further
validation (the default), as well as min, max and range checks.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-27 09:28:35 +00:00
|
|
|
|
|
|
|
|
switch (pt->type) {
|
|
|
|
|
case NLA_U8:
|
|
|
|
|
value = nla_get_u8(nla);
|
|
|
|
|
break;
|
|
|
|
|
case NLA_U16:
|
2022-10-31 12:34:07 +00:00
|
|
|
value = nla_get_u16(nla);
|
|
|
|
|
break;
|
netlink: add attribute range validation to policy
Without further bloating the policy structs, we can overload
the `validation_data' pointer with a struct of s16 min, max
and use those to validate ranges in NLA_{U,S}{8,16,32,64}
attributes.
It may sound strange to validate NLA_U32 with a s16 max, but
in many cases NLA_U32 is used for enums etc. since there's no
size benefit in using a smaller attribute width anyway, due
to netlink attribute alignment; in cases like that it's still
useful, particularly when the attribute really transports an
enum value.
Doing so lets us remove quite a bit of validation code, if we
can be sure that these attributes aren't used by userspace in
places where they're ignored today.
To achieve all this, split the 'type' field and introduce a
new 'validation_type' field which indicates what further
validation (beyond the validation prescribed by the type of
the attribute) is done. This currently allows for no further
validation (the default), as well as min, max and range checks.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-27 09:28:35 +00:00
|
|
|
case NLA_U32:
|
2022-10-31 12:34:07 +00:00
|
|
|
value = nla_get_u32(nla);
|
|
|
|
|
break;
|
2020-04-30 20:13:08 +00:00
|
|
|
case NLA_U64:
|
2022-10-31 12:34:07 +00:00
|
|
|
value = nla_get_u64(nla);
|
2022-09-05 10:09:36 +00:00
|
|
|
break;
|
netlink: add variable-length / auto integers
We currently push everyone to use padding to align 64b values
in netlink. Un-padded nla_put_u64() doesn't even exist any more.
The story behind this possibly start with this thread:
https://lore.kernel.org/netdev/20121204.130914.1457976839967676240.davem@davemloft.net/
where DaveM was concerned about the alignment of a structure
containing 64b stats. If user space tries to access such struct
directly:
struct some_stats *stats = nla_data(attr);
printf("A: %llu", stats->a);
lack of alignment may become problematic for some architectures.
These days we most often put every single member in a separate
attribute, meaning that the code above would use a helper like
nla_get_u64(), which can deal with alignment internally.
Even for arches which don't have good unaligned access - access
aligned to 4B should be pretty efficient.
Kernel and well known libraries deal with unaligned input already.
Padded 64b is quite space-inefficient (64b + pad means at worst 16B
per attr vs 32b which takes 8B). It is also more typing:
if (nla_put_u64_pad(rsp, NETDEV_A_SOMETHING_SOMETHING,
value, NETDEV_A_SOMETHING_PAD))
Create a new attribute type which will use 32 bits at netlink
level if value is small enough (probably most of the time?),
and (4B-aligned) 64 bits otherwise. Kernel API is just:
if (nla_put_uint(rsp, NETDEV_A_SOMETHING_SOMETHING, value))
Calling this new type "just" sint / uint with no specific size
will hopefully also make people more comfortable with using it.
Currently telling people "don't use u8, you may need the bits,
and netlink will round up to 4B, anyway" is the #1 comment
we give to newcomers.
In terms of netlink layout it looks like this:
0 4 8 12 16
32b: [nlattr][ u32 ]
64b: [ pad ][nlattr][ u64 ]
uint(32) [nlattr][ u32 ]
uint(64) [nlattr][ u64 ]
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2023-10-18 21:39:20 +00:00
|
|
|
case NLA_UINT:
|
|
|
|
|
value = nla_get_uint(nla);
|
|
|
|
|
break;
|
2020-04-30 20:13:09 +00:00
|
|
|
case NLA_MSECS:
|
2020-04-30 20:13:08 +00:00
|
|
|
value = nla_get_u64(nla);
|
|
|
|
|
break;
|
netlink: make NLA_BINARY validation more flexible
Add range validation for NLA_BINARY, allowing validation of any
combination of combination minimum or maximum lengths, using the
existing NLA_POLICY_RANGE()/NLA_POLICY_FULL_RANGE() macros, just
like for integers where the value is checked.
Also make NLA_POLICY_EXACT_LEN(), NLA_POLICY_EXACT_LEN_WARN()
and NLA_POLICY_MIN_LEN() special cases of this, removing the old
types NLA_EXACT_LEN and NLA_MIN_LEN.
This allows us to save some code where both minimum and maximum
lengths are requires, currently the policy only allows maximum
(NLA_BINARY), minimum (NLA_MIN_LEN) or exact (NLA_EXACT_LEN), so
a range of lengths cannot be accepted and must be checked by the
code that consumes the attributes later.
Also, this allows advertising the correct ranges in the policy
export to userspace. Here, NLA_MIN_LEN and NLA_EXACT_LEN already
were special cases of NLA_BINARY with min and min/max length
respectively.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-08-18 08:17:33 +00:00
|
|
|
case NLA_BINARY:
|
|
|
|
|
value = nla_len(nla);
|
|
|
|
|
break;
|
2022-10-31 12:34:07 +00:00
|
|
|
case NLA_BE16:
|
|
|
|
|
value = ntohs(nla_get_be16(nla));
|
|
|
|
|
break;
|
|
|
|
|
case NLA_BE32:
|
|
|
|
|
value = ntohl(nla_get_be32(nla));
|
|
|
|
|
break;
|
2020-04-30 20:13:08 +00:00
|
|
|
default:
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-30 20:13:11 +00:00
|
|
|
nla_get_range_unsigned(pt, &range);
|
|
|
|
|
|
netlink: make NLA_BINARY validation more flexible
Add range validation for NLA_BINARY, allowing validation of any
combination of combination minimum or maximum lengths, using the
existing NLA_POLICY_RANGE()/NLA_POLICY_FULL_RANGE() macros, just
like for integers where the value is checked.
Also make NLA_POLICY_EXACT_LEN(), NLA_POLICY_EXACT_LEN_WARN()
and NLA_POLICY_MIN_LEN() special cases of this, removing the old
types NLA_EXACT_LEN and NLA_MIN_LEN.
This allows us to save some code where both minimum and maximum
lengths are requires, currently the policy only allows maximum
(NLA_BINARY), minimum (NLA_MIN_LEN) or exact (NLA_EXACT_LEN), so
a range of lengths cannot be accepted and must be checked by the
code that consumes the attributes later.
Also, this allows advertising the correct ranges in the policy
export to userspace. Here, NLA_MIN_LEN and NLA_EXACT_LEN already
were special cases of NLA_BINARY with min and min/max length
respectively.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-08-18 08:17:33 +00:00
|
|
|
if (pt->validation_type == NLA_VALIDATE_RANGE_WARN_TOO_LONG &&
|
|
|
|
|
pt->type == NLA_BINARY && value > range.max) {
|
|
|
|
|
pr_warn_ratelimited("netlink: '%s': attribute type %d has an invalid length.\n",
|
|
|
|
|
current->comm, pt->type);
|
|
|
|
|
if (validate & NL_VALIDATE_STRICT_ATTRS) {
|
2020-10-08 10:45:17 +00:00
|
|
|
NL_SET_ERR_MSG_ATTR_POL(extack, nla, pt,
|
|
|
|
|
"invalid attribute length");
|
netlink: make NLA_BINARY validation more flexible
Add range validation for NLA_BINARY, allowing validation of any
combination of combination minimum or maximum lengths, using the
existing NLA_POLICY_RANGE()/NLA_POLICY_FULL_RANGE() macros, just
like for integers where the value is checked.
Also make NLA_POLICY_EXACT_LEN(), NLA_POLICY_EXACT_LEN_WARN()
and NLA_POLICY_MIN_LEN() special cases of this, removing the old
types NLA_EXACT_LEN and NLA_MIN_LEN.
This allows us to save some code where both minimum and maximum
lengths are requires, currently the policy only allows maximum
(NLA_BINARY), minimum (NLA_MIN_LEN) or exact (NLA_EXACT_LEN), so
a range of lengths cannot be accepted and must be checked by the
code that consumes the attributes later.
Also, this allows advertising the correct ranges in the policy
export to userspace. Here, NLA_MIN_LEN and NLA_EXACT_LEN already
were special cases of NLA_BINARY with min and min/max length
respectively.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-08-18 08:17:33 +00:00
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* this assumes min <= max (don't validate against min) */
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-30 20:13:11 +00:00
|
|
|
if (value < range.min || value > range.max) {
|
netlink: make NLA_BINARY validation more flexible
Add range validation for NLA_BINARY, allowing validation of any
combination of combination minimum or maximum lengths, using the
existing NLA_POLICY_RANGE()/NLA_POLICY_FULL_RANGE() macros, just
like for integers where the value is checked.
Also make NLA_POLICY_EXACT_LEN(), NLA_POLICY_EXACT_LEN_WARN()
and NLA_POLICY_MIN_LEN() special cases of this, removing the old
types NLA_EXACT_LEN and NLA_MIN_LEN.
This allows us to save some code where both minimum and maximum
lengths are requires, currently the policy only allows maximum
(NLA_BINARY), minimum (NLA_MIN_LEN) or exact (NLA_EXACT_LEN), so
a range of lengths cannot be accepted and must be checked by the
code that consumes the attributes later.
Also, this allows advertising the correct ranges in the policy
export to userspace. Here, NLA_MIN_LEN and NLA_EXACT_LEN already
were special cases of NLA_BINARY with min and min/max length
respectively.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-08-18 08:17:33 +00:00
|
|
|
bool binary = pt->type == NLA_BINARY;
|
|
|
|
|
|
|
|
|
|
if (binary)
|
2020-10-08 10:45:17 +00:00
|
|
|
NL_SET_ERR_MSG_ATTR_POL(extack, nla, pt,
|
|
|
|
|
"binary attribute size out of range");
|
netlink: make NLA_BINARY validation more flexible
Add range validation for NLA_BINARY, allowing validation of any
combination of combination minimum or maximum lengths, using the
existing NLA_POLICY_RANGE()/NLA_POLICY_FULL_RANGE() macros, just
like for integers where the value is checked.
Also make NLA_POLICY_EXACT_LEN(), NLA_POLICY_EXACT_LEN_WARN()
and NLA_POLICY_MIN_LEN() special cases of this, removing the old
types NLA_EXACT_LEN and NLA_MIN_LEN.
This allows us to save some code where both minimum and maximum
lengths are requires, currently the policy only allows maximum
(NLA_BINARY), minimum (NLA_MIN_LEN) or exact (NLA_EXACT_LEN), so
a range of lengths cannot be accepted and must be checked by the
code that consumes the attributes later.
Also, this allows advertising the correct ranges in the policy
export to userspace. Here, NLA_MIN_LEN and NLA_EXACT_LEN already
were special cases of NLA_BINARY with min and min/max length
respectively.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-08-18 08:17:33 +00:00
|
|
|
else
|
2020-10-08 10:45:17 +00:00
|
|
|
NL_SET_ERR_MSG_ATTR_POL(extack, nla, pt,
|
|
|
|
|
"integer out of range");
|
netlink: make NLA_BINARY validation more flexible
Add range validation for NLA_BINARY, allowing validation of any
combination of combination minimum or maximum lengths, using the
existing NLA_POLICY_RANGE()/NLA_POLICY_FULL_RANGE() macros, just
like for integers where the value is checked.
Also make NLA_POLICY_EXACT_LEN(), NLA_POLICY_EXACT_LEN_WARN()
and NLA_POLICY_MIN_LEN() special cases of this, removing the old
types NLA_EXACT_LEN and NLA_MIN_LEN.
This allows us to save some code where both minimum and maximum
lengths are requires, currently the policy only allows maximum
(NLA_BINARY), minimum (NLA_MIN_LEN) or exact (NLA_EXACT_LEN), so
a range of lengths cannot be accepted and must be checked by the
code that consumes the attributes later.
Also, this allows advertising the correct ranges in the policy
export to userspace. Here, NLA_MIN_LEN and NLA_EXACT_LEN already
were special cases of NLA_BINARY with min and min/max length
respectively.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-08-18 08:17:33 +00:00
|
|
|
|
2020-04-30 20:13:08 +00:00
|
|
|
return -ERANGE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-30 20:13:11 +00:00
|
|
|
void nla_get_range_signed(const struct nla_policy *pt,
|
|
|
|
|
struct netlink_range_validation_signed *range)
|
2020-04-30 20:13:08 +00:00
|
|
|
{
|
2020-04-30 20:13:11 +00:00
|
|
|
switch (pt->type) {
|
|
|
|
|
case NLA_S8:
|
|
|
|
|
range->min = S8_MIN;
|
|
|
|
|
range->max = S8_MAX;
|
|
|
|
|
break;
|
|
|
|
|
case NLA_S16:
|
|
|
|
|
range->min = S16_MIN;
|
|
|
|
|
range->max = S16_MAX;
|
|
|
|
|
break;
|
|
|
|
|
case NLA_S32:
|
|
|
|
|
range->min = S32_MIN;
|
|
|
|
|
range->max = S32_MAX;
|
|
|
|
|
break;
|
|
|
|
|
case NLA_S64:
|
netlink: add variable-length / auto integers
We currently push everyone to use padding to align 64b values
in netlink. Un-padded nla_put_u64() doesn't even exist any more.
The story behind this possibly start with this thread:
https://lore.kernel.org/netdev/20121204.130914.1457976839967676240.davem@davemloft.net/
where DaveM was concerned about the alignment of a structure
containing 64b stats. If user space tries to access such struct
directly:
struct some_stats *stats = nla_data(attr);
printf("A: %llu", stats->a);
lack of alignment may become problematic for some architectures.
These days we most often put every single member in a separate
attribute, meaning that the code above would use a helper like
nla_get_u64(), which can deal with alignment internally.
Even for arches which don't have good unaligned access - access
aligned to 4B should be pretty efficient.
Kernel and well known libraries deal with unaligned input already.
Padded 64b is quite space-inefficient (64b + pad means at worst 16B
per attr vs 32b which takes 8B). It is also more typing:
if (nla_put_u64_pad(rsp, NETDEV_A_SOMETHING_SOMETHING,
value, NETDEV_A_SOMETHING_PAD))
Create a new attribute type which will use 32 bits at netlink
level if value is small enough (probably most of the time?),
and (4B-aligned) 64 bits otherwise. Kernel API is just:
if (nla_put_uint(rsp, NETDEV_A_SOMETHING_SOMETHING, value))
Calling this new type "just" sint / uint with no specific size
will hopefully also make people more comfortable with using it.
Currently telling people "don't use u8, you may need the bits,
and netlink will round up to 4B, anyway" is the #1 comment
we give to newcomers.
In terms of netlink layout it looks like this:
0 4 8 12 16
32b: [nlattr][ u32 ]
64b: [ pad ][nlattr][ u64 ]
uint(32) [nlattr][ u32 ]
uint(64) [nlattr][ u64 ]
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2023-10-18 21:39:20 +00:00
|
|
|
case NLA_SINT:
|
2020-04-30 20:13:11 +00:00
|
|
|
range->min = S64_MIN;
|
|
|
|
|
range->max = S64_MAX;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
WARN_ON_ONCE(1);
|
|
|
|
|
return;
|
|
|
|
|
}
|
2020-04-30 20:13:08 +00:00
|
|
|
|
|
|
|
|
switch (pt->validation_type) {
|
|
|
|
|
case NLA_VALIDATE_RANGE:
|
|
|
|
|
range->min = pt->min;
|
|
|
|
|
range->max = pt->max;
|
|
|
|
|
break;
|
|
|
|
|
case NLA_VALIDATE_RANGE_PTR:
|
2020-04-30 20:13:11 +00:00
|
|
|
*range = *pt->range_signed;
|
2020-04-30 20:13:08 +00:00
|
|
|
break;
|
|
|
|
|
case NLA_VALIDATE_MIN:
|
|
|
|
|
range->min = pt->min;
|
|
|
|
|
break;
|
|
|
|
|
case NLA_VALIDATE_MAX:
|
|
|
|
|
range->max = pt->max;
|
|
|
|
|
break;
|
2020-04-30 20:13:11 +00:00
|
|
|
default:
|
|
|
|
|
break;
|
2020-04-30 20:13:08 +00:00
|
|
|
}
|
2020-04-30 20:13:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int nla_validate_int_range_signed(const struct nla_policy *pt,
|
|
|
|
|
const struct nlattr *nla,
|
|
|
|
|
struct netlink_ext_ack *extack)
|
|
|
|
|
{
|
|
|
|
|
struct netlink_range_validation_signed range;
|
|
|
|
|
s64 value;
|
2020-04-30 20:13:08 +00:00
|
|
|
|
|
|
|
|
switch (pt->type) {
|
netlink: add attribute range validation to policy
Without further bloating the policy structs, we can overload
the `validation_data' pointer with a struct of s16 min, max
and use those to validate ranges in NLA_{U,S}{8,16,32,64}
attributes.
It may sound strange to validate NLA_U32 with a s16 max, but
in many cases NLA_U32 is used for enums etc. since there's no
size benefit in using a smaller attribute width anyway, due
to netlink attribute alignment; in cases like that it's still
useful, particularly when the attribute really transports an
enum value.
Doing so lets us remove quite a bit of validation code, if we
can be sure that these attributes aren't used by userspace in
places where they're ignored today.
To achieve all this, split the 'type' field and introduce a
new 'validation_type' field which indicates what further
validation (beyond the validation prescribed by the type of
the attribute) is done. This currently allows for no further
validation (the default), as well as min, max and range checks.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-27 09:28:35 +00:00
|
|
|
case NLA_S8:
|
|
|
|
|
value = nla_get_s8(nla);
|
|
|
|
|
break;
|
|
|
|
|
case NLA_S16:
|
|
|
|
|
value = nla_get_s16(nla);
|
|
|
|
|
break;
|
|
|
|
|
case NLA_S32:
|
|
|
|
|
value = nla_get_s32(nla);
|
|
|
|
|
break;
|
|
|
|
|
case NLA_S64:
|
|
|
|
|
value = nla_get_s64(nla);
|
|
|
|
|
break;
|
netlink: add variable-length / auto integers
We currently push everyone to use padding to align 64b values
in netlink. Un-padded nla_put_u64() doesn't even exist any more.
The story behind this possibly start with this thread:
https://lore.kernel.org/netdev/20121204.130914.1457976839967676240.davem@davemloft.net/
where DaveM was concerned about the alignment of a structure
containing 64b stats. If user space tries to access such struct
directly:
struct some_stats *stats = nla_data(attr);
printf("A: %llu", stats->a);
lack of alignment may become problematic for some architectures.
These days we most often put every single member in a separate
attribute, meaning that the code above would use a helper like
nla_get_u64(), which can deal with alignment internally.
Even for arches which don't have good unaligned access - access
aligned to 4B should be pretty efficient.
Kernel and well known libraries deal with unaligned input already.
Padded 64b is quite space-inefficient (64b + pad means at worst 16B
per attr vs 32b which takes 8B). It is also more typing:
if (nla_put_u64_pad(rsp, NETDEV_A_SOMETHING_SOMETHING,
value, NETDEV_A_SOMETHING_PAD))
Create a new attribute type which will use 32 bits at netlink
level if value is small enough (probably most of the time?),
and (4B-aligned) 64 bits otherwise. Kernel API is just:
if (nla_put_uint(rsp, NETDEV_A_SOMETHING_SOMETHING, value))
Calling this new type "just" sint / uint with no specific size
will hopefully also make people more comfortable with using it.
Currently telling people "don't use u8, you may need the bits,
and netlink will round up to 4B, anyway" is the #1 comment
we give to newcomers.
In terms of netlink layout it looks like this:
0 4 8 12 16
32b: [nlattr][ u32 ]
64b: [ pad ][nlattr][ u64 ]
uint(32) [nlattr][ u32 ]
uint(64) [nlattr][ u64 ]
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2023-10-18 21:39:20 +00:00
|
|
|
case NLA_SINT:
|
|
|
|
|
value = nla_get_sint(nla);
|
|
|
|
|
break;
|
netlink: add attribute range validation to policy
Without further bloating the policy structs, we can overload
the `validation_data' pointer with a struct of s16 min, max
and use those to validate ranges in NLA_{U,S}{8,16,32,64}
attributes.
It may sound strange to validate NLA_U32 with a s16 max, but
in many cases NLA_U32 is used for enums etc. since there's no
size benefit in using a smaller attribute width anyway, due
to netlink attribute alignment; in cases like that it's still
useful, particularly when the attribute really transports an
enum value.
Doing so lets us remove quite a bit of validation code, if we
can be sure that these attributes aren't used by userspace in
places where they're ignored today.
To achieve all this, split the 'type' field and introduce a
new 'validation_type' field which indicates what further
validation (beyond the validation prescribed by the type of
the attribute) is done. This currently allows for no further
validation (the default), as well as min, max and range checks.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-27 09:28:35 +00:00
|
|
|
default:
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-30 20:13:11 +00:00
|
|
|
nla_get_range_signed(pt, &range);
|
|
|
|
|
|
|
|
|
|
if (value < range.min || value > range.max) {
|
2020-10-08 10:45:17 +00:00
|
|
|
NL_SET_ERR_MSG_ATTR_POL(extack, nla, pt,
|
|
|
|
|
"integer out of range");
|
netlink: add attribute range validation to policy
Without further bloating the policy structs, we can overload
the `validation_data' pointer with a struct of s16 min, max
and use those to validate ranges in NLA_{U,S}{8,16,32,64}
attributes.
It may sound strange to validate NLA_U32 with a s16 max, but
in many cases NLA_U32 is used for enums etc. since there's no
size benefit in using a smaller attribute width anyway, due
to netlink attribute alignment; in cases like that it's still
useful, particularly when the attribute really transports an
enum value.
Doing so lets us remove quite a bit of validation code, if we
can be sure that these attributes aren't used by userspace in
places where they're ignored today.
To achieve all this, split the 'type' field and introduce a
new 'validation_type' field which indicates what further
validation (beyond the validation prescribed by the type of
the attribute) is done. This currently allows for no further
validation (the default), as well as min, max and range checks.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-27 09:28:35 +00:00
|
|
|
return -ERANGE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-30 20:13:08 +00:00
|
|
|
static int nla_validate_int_range(const struct nla_policy *pt,
|
|
|
|
|
const struct nlattr *nla,
|
netlink: make NLA_BINARY validation more flexible
Add range validation for NLA_BINARY, allowing validation of any
combination of combination minimum or maximum lengths, using the
existing NLA_POLICY_RANGE()/NLA_POLICY_FULL_RANGE() macros, just
like for integers where the value is checked.
Also make NLA_POLICY_EXACT_LEN(), NLA_POLICY_EXACT_LEN_WARN()
and NLA_POLICY_MIN_LEN() special cases of this, removing the old
types NLA_EXACT_LEN and NLA_MIN_LEN.
This allows us to save some code where both minimum and maximum
lengths are requires, currently the policy only allows maximum
(NLA_BINARY), minimum (NLA_MIN_LEN) or exact (NLA_EXACT_LEN), so
a range of lengths cannot be accepted and must be checked by the
code that consumes the attributes later.
Also, this allows advertising the correct ranges in the policy
export to userspace. Here, NLA_MIN_LEN and NLA_EXACT_LEN already
were special cases of NLA_BINARY with min and min/max length
respectively.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-08-18 08:17:33 +00:00
|
|
|
struct netlink_ext_ack *extack,
|
|
|
|
|
unsigned int validate)
|
2020-04-30 20:13:08 +00:00
|
|
|
{
|
|
|
|
|
switch (pt->type) {
|
|
|
|
|
case NLA_U8:
|
|
|
|
|
case NLA_U16:
|
|
|
|
|
case NLA_U32:
|
|
|
|
|
case NLA_U64:
|
netlink: add variable-length / auto integers
We currently push everyone to use padding to align 64b values
in netlink. Un-padded nla_put_u64() doesn't even exist any more.
The story behind this possibly start with this thread:
https://lore.kernel.org/netdev/20121204.130914.1457976839967676240.davem@davemloft.net/
where DaveM was concerned about the alignment of a structure
containing 64b stats. If user space tries to access such struct
directly:
struct some_stats *stats = nla_data(attr);
printf("A: %llu", stats->a);
lack of alignment may become problematic for some architectures.
These days we most often put every single member in a separate
attribute, meaning that the code above would use a helper like
nla_get_u64(), which can deal with alignment internally.
Even for arches which don't have good unaligned access - access
aligned to 4B should be pretty efficient.
Kernel and well known libraries deal with unaligned input already.
Padded 64b is quite space-inefficient (64b + pad means at worst 16B
per attr vs 32b which takes 8B). It is also more typing:
if (nla_put_u64_pad(rsp, NETDEV_A_SOMETHING_SOMETHING,
value, NETDEV_A_SOMETHING_PAD))
Create a new attribute type which will use 32 bits at netlink
level if value is small enough (probably most of the time?),
and (4B-aligned) 64 bits otherwise. Kernel API is just:
if (nla_put_uint(rsp, NETDEV_A_SOMETHING_SOMETHING, value))
Calling this new type "just" sint / uint with no specific size
will hopefully also make people more comfortable with using it.
Currently telling people "don't use u8, you may need the bits,
and netlink will round up to 4B, anyway" is the #1 comment
we give to newcomers.
In terms of netlink layout it looks like this:
0 4 8 12 16
32b: [nlattr][ u32 ]
64b: [ pad ][nlattr][ u64 ]
uint(32) [nlattr][ u32 ]
uint(64) [nlattr][ u64 ]
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2023-10-18 21:39:20 +00:00
|
|
|
case NLA_UINT:
|
2020-04-30 20:13:09 +00:00
|
|
|
case NLA_MSECS:
|
netlink: make NLA_BINARY validation more flexible
Add range validation for NLA_BINARY, allowing validation of any
combination of combination minimum or maximum lengths, using the
existing NLA_POLICY_RANGE()/NLA_POLICY_FULL_RANGE() macros, just
like for integers where the value is checked.
Also make NLA_POLICY_EXACT_LEN(), NLA_POLICY_EXACT_LEN_WARN()
and NLA_POLICY_MIN_LEN() special cases of this, removing the old
types NLA_EXACT_LEN and NLA_MIN_LEN.
This allows us to save some code where both minimum and maximum
lengths are requires, currently the policy only allows maximum
(NLA_BINARY), minimum (NLA_MIN_LEN) or exact (NLA_EXACT_LEN), so
a range of lengths cannot be accepted and must be checked by the
code that consumes the attributes later.
Also, this allows advertising the correct ranges in the policy
export to userspace. Here, NLA_MIN_LEN and NLA_EXACT_LEN already
were special cases of NLA_BINARY with min and min/max length
respectively.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-08-18 08:17:33 +00:00
|
|
|
case NLA_BINARY:
|
2022-10-31 12:34:07 +00:00
|
|
|
case NLA_BE16:
|
|
|
|
|
case NLA_BE32:
|
netlink: make NLA_BINARY validation more flexible
Add range validation for NLA_BINARY, allowing validation of any
combination of combination minimum or maximum lengths, using the
existing NLA_POLICY_RANGE()/NLA_POLICY_FULL_RANGE() macros, just
like for integers where the value is checked.
Also make NLA_POLICY_EXACT_LEN(), NLA_POLICY_EXACT_LEN_WARN()
and NLA_POLICY_MIN_LEN() special cases of this, removing the old
types NLA_EXACT_LEN and NLA_MIN_LEN.
This allows us to save some code where both minimum and maximum
lengths are requires, currently the policy only allows maximum
(NLA_BINARY), minimum (NLA_MIN_LEN) or exact (NLA_EXACT_LEN), so
a range of lengths cannot be accepted and must be checked by the
code that consumes the attributes later.
Also, this allows advertising the correct ranges in the policy
export to userspace. Here, NLA_MIN_LEN and NLA_EXACT_LEN already
were special cases of NLA_BINARY with min and min/max length
respectively.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-08-18 08:17:33 +00:00
|
|
|
return nla_validate_range_unsigned(pt, nla, extack, validate);
|
2020-04-30 20:13:08 +00:00
|
|
|
case NLA_S8:
|
|
|
|
|
case NLA_S16:
|
|
|
|
|
case NLA_S32:
|
|
|
|
|
case NLA_S64:
|
netlink: add variable-length / auto integers
We currently push everyone to use padding to align 64b values
in netlink. Un-padded nla_put_u64() doesn't even exist any more.
The story behind this possibly start with this thread:
https://lore.kernel.org/netdev/20121204.130914.1457976839967676240.davem@davemloft.net/
where DaveM was concerned about the alignment of a structure
containing 64b stats. If user space tries to access such struct
directly:
struct some_stats *stats = nla_data(attr);
printf("A: %llu", stats->a);
lack of alignment may become problematic for some architectures.
These days we most often put every single member in a separate
attribute, meaning that the code above would use a helper like
nla_get_u64(), which can deal with alignment internally.
Even for arches which don't have good unaligned access - access
aligned to 4B should be pretty efficient.
Kernel and well known libraries deal with unaligned input already.
Padded 64b is quite space-inefficient (64b + pad means at worst 16B
per attr vs 32b which takes 8B). It is also more typing:
if (nla_put_u64_pad(rsp, NETDEV_A_SOMETHING_SOMETHING,
value, NETDEV_A_SOMETHING_PAD))
Create a new attribute type which will use 32 bits at netlink
level if value is small enough (probably most of the time?),
and (4B-aligned) 64 bits otherwise. Kernel API is just:
if (nla_put_uint(rsp, NETDEV_A_SOMETHING_SOMETHING, value))
Calling this new type "just" sint / uint with no specific size
will hopefully also make people more comfortable with using it.
Currently telling people "don't use u8, you may need the bits,
and netlink will round up to 4B, anyway" is the #1 comment
we give to newcomers.
In terms of netlink layout it looks like this:
0 4 8 12 16
32b: [nlattr][ u32 ]
64b: [ pad ][nlattr][ u64 ]
uint(32) [nlattr][ u32 ]
uint(64) [nlattr][ u64 ]
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2023-10-18 21:39:20 +00:00
|
|
|
case NLA_SINT:
|
2020-04-30 20:13:08 +00:00
|
|
|
return nla_validate_int_range_signed(pt, nla, extack);
|
|
|
|
|
default:
|
|
|
|
|
WARN_ON(1);
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-10-05 22:07:38 +00:00
|
|
|
static int nla_validate_mask(const struct nla_policy *pt,
|
|
|
|
|
const struct nlattr *nla,
|
|
|
|
|
struct netlink_ext_ack *extack)
|
|
|
|
|
{
|
|
|
|
|
u64 value;
|
|
|
|
|
|
|
|
|
|
switch (pt->type) {
|
|
|
|
|
case NLA_U8:
|
|
|
|
|
value = nla_get_u8(nla);
|
|
|
|
|
break;
|
|
|
|
|
case NLA_U16:
|
|
|
|
|
value = nla_get_u16(nla);
|
|
|
|
|
break;
|
|
|
|
|
case NLA_U32:
|
|
|
|
|
value = nla_get_u32(nla);
|
|
|
|
|
break;
|
|
|
|
|
case NLA_U64:
|
|
|
|
|
value = nla_get_u64(nla);
|
|
|
|
|
break;
|
netlink: add variable-length / auto integers
We currently push everyone to use padding to align 64b values
in netlink. Un-padded nla_put_u64() doesn't even exist any more.
The story behind this possibly start with this thread:
https://lore.kernel.org/netdev/20121204.130914.1457976839967676240.davem@davemloft.net/
where DaveM was concerned about the alignment of a structure
containing 64b stats. If user space tries to access such struct
directly:
struct some_stats *stats = nla_data(attr);
printf("A: %llu", stats->a);
lack of alignment may become problematic for some architectures.
These days we most often put every single member in a separate
attribute, meaning that the code above would use a helper like
nla_get_u64(), which can deal with alignment internally.
Even for arches which don't have good unaligned access - access
aligned to 4B should be pretty efficient.
Kernel and well known libraries deal with unaligned input already.
Padded 64b is quite space-inefficient (64b + pad means at worst 16B
per attr vs 32b which takes 8B). It is also more typing:
if (nla_put_u64_pad(rsp, NETDEV_A_SOMETHING_SOMETHING,
value, NETDEV_A_SOMETHING_PAD))
Create a new attribute type which will use 32 bits at netlink
level if value is small enough (probably most of the time?),
and (4B-aligned) 64 bits otherwise. Kernel API is just:
if (nla_put_uint(rsp, NETDEV_A_SOMETHING_SOMETHING, value))
Calling this new type "just" sint / uint with no specific size
will hopefully also make people more comfortable with using it.
Currently telling people "don't use u8, you may need the bits,
and netlink will round up to 4B, anyway" is the #1 comment
we give to newcomers.
In terms of netlink layout it looks like this:
0 4 8 12 16
32b: [nlattr][ u32 ]
64b: [ pad ][nlattr][ u64 ]
uint(32) [nlattr][ u32 ]
uint(64) [nlattr][ u64 ]
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2023-10-18 21:39:20 +00:00
|
|
|
case NLA_UINT:
|
|
|
|
|
value = nla_get_uint(nla);
|
|
|
|
|
break;
|
2023-07-18 07:52:29 +00:00
|
|
|
case NLA_BE16:
|
|
|
|
|
value = ntohs(nla_get_be16(nla));
|
|
|
|
|
break;
|
|
|
|
|
case NLA_BE32:
|
|
|
|
|
value = ntohl(nla_get_be32(nla));
|
|
|
|
|
break;
|
2020-10-05 22:07:38 +00:00
|
|
|
default:
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (value & ~(u64)pt->mask) {
|
|
|
|
|
NL_SET_ERR_MSG_ATTR(extack, nla, "reserved bit set");
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2010-11-16 17:52:32 +00:00
|
|
|
static int validate_nla(const struct nlattr *nla, int maxtype,
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 12:07:28 +00:00
|
|
|
const struct nla_policy *policy, unsigned int validate,
|
2020-04-30 20:13:06 +00:00
|
|
|
struct netlink_ext_ack *extack, unsigned int depth)
|
2005-11-10 01:25:51 +00:00
|
|
|
{
|
netlink: add strict parsing for future attributes
Unfortunately, we cannot add strict parsing for all attributes, as
that would break existing userspace. We currently warn about it, but
that's about all we can do.
For new attributes, however, the story is better: nobody is using
them, so we can reject bad sizes.
Also, for new attributes, we need not accept them when the policy
doesn't declare their usage.
David Ahern and I went back and forth on how to best encode this, and
the best way we found was to have a "boundary type", from which point
on new attributes have all possible validation applied, and NLA_UNSPEC
is rejected.
As we didn't want to add another argument to all functions that get a
netlink policy, the workaround is to encode that boundary in the first
entry of the policy array (which is for type 0 and thus probably not
really valid anyway). I put it into the validation union for the rare
possibility that somebody is actually using attribute 0, which would
continue to work fine unless they tried to use the extended validation,
which isn't likely. We also didn't find any in-tree users with type 0.
The reason for setting the "start strict here" attribute is that we
never really need to start strict from 0, which is invalid anyway (or
in legacy families where that isn't true, it cannot be set to strict),
so we can thus reserve the value 0 for "don't do this check" and don't
have to add the tag to all policies right now.
Thus, policies can now opt in to this validation, which we should do
for all existing policies, at least when adding new attributes.
Note that entirely *new* policies won't need to set it, as the use
of that should be using nla_parse()/nlmsg_parse() etc. which anyway
do fully strict validation now, regardless of this.
So in effect, this patch only covers the "existing command with new
attribute" case.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 12:07:30 +00:00
|
|
|
u16 strict_start_type = policy[0].strict_start_type;
|
2007-06-05 19:38:30 +00:00
|
|
|
const struct nla_policy *pt;
|
2007-09-12 12:44:36 +00:00
|
|
|
int minlen = 0, attrlen = nla_len(nla), type = nla_type(nla);
|
2018-09-26 09:15:32 +00:00
|
|
|
int err = -ERANGE;
|
2005-11-10 01:25:51 +00:00
|
|
|
|
netlink: add strict parsing for future attributes
Unfortunately, we cannot add strict parsing for all attributes, as
that would break existing userspace. We currently warn about it, but
that's about all we can do.
For new attributes, however, the story is better: nobody is using
them, so we can reject bad sizes.
Also, for new attributes, we need not accept them when the policy
doesn't declare their usage.
David Ahern and I went back and forth on how to best encode this, and
the best way we found was to have a "boundary type", from which point
on new attributes have all possible validation applied, and NLA_UNSPEC
is rejected.
As we didn't want to add another argument to all functions that get a
netlink policy, the workaround is to encode that boundary in the first
entry of the policy array (which is for type 0 and thus probably not
really valid anyway). I put it into the validation union for the rare
possibility that somebody is actually using attribute 0, which would
continue to work fine unless they tried to use the extended validation,
which isn't likely. We also didn't find any in-tree users with type 0.
The reason for setting the "start strict here" attribute is that we
never really need to start strict from 0, which is invalid anyway (or
in legacy families where that isn't true, it cannot be set to strict),
so we can thus reserve the value 0 for "don't do this check" and don't
have to add the tag to all policies right now.
Thus, policies can now opt in to this validation, which we should do
for all existing policies, at least when adding new attributes.
Note that entirely *new* policies won't need to set it, as the use
of that should be using nla_parse()/nlmsg_parse() etc. which anyway
do fully strict validation now, regardless of this.
So in effect, this patch only covers the "existing command with new
attribute" case.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 12:07:30 +00:00
|
|
|
if (strict_start_type && type >= strict_start_type)
|
|
|
|
|
validate |= NL_VALIDATE_STRICT;
|
|
|
|
|
|
2007-09-12 12:44:36 +00:00
|
|
|
if (type <= 0 || type > maxtype)
|
2005-11-10 01:25:51 +00:00
|
|
|
return 0;
|
|
|
|
|
|
2023-01-19 11:01:50 +00:00
|
|
|
type = array_index_nospec(type, maxtype + 1);
|
2007-09-12 12:44:36 +00:00
|
|
|
pt = &policy[type];
|
2005-11-10 01:25:51 +00:00
|
|
|
|
|
|
|
|
BUG_ON(pt->type > NLA_TYPE_MAX);
|
|
|
|
|
|
netlink: make NLA_BINARY validation more flexible
Add range validation for NLA_BINARY, allowing validation of any
combination of combination minimum or maximum lengths, using the
existing NLA_POLICY_RANGE()/NLA_POLICY_FULL_RANGE() macros, just
like for integers where the value is checked.
Also make NLA_POLICY_EXACT_LEN(), NLA_POLICY_EXACT_LEN_WARN()
and NLA_POLICY_MIN_LEN() special cases of this, removing the old
types NLA_EXACT_LEN and NLA_MIN_LEN.
This allows us to save some code where both minimum and maximum
lengths are requires, currently the policy only allows maximum
(NLA_BINARY), minimum (NLA_MIN_LEN) or exact (NLA_EXACT_LEN), so
a range of lengths cannot be accepted and must be checked by the
code that consumes the attributes later.
Also, this allows advertising the correct ranges in the policy
export to userspace. Here, NLA_MIN_LEN and NLA_EXACT_LEN already
were special cases of NLA_BINARY with min and min/max length
respectively.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-08-18 08:17:33 +00:00
|
|
|
if (nla_attr_len[pt->type] && attrlen != nla_attr_len[pt->type]) {
|
2017-12-07 04:09:12 +00:00
|
|
|
pr_warn_ratelimited("netlink: '%s': attribute type %d has an invalid length.\n",
|
|
|
|
|
current->comm, type);
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 12:07:28 +00:00
|
|
|
if (validate & NL_VALIDATE_STRICT_ATTRS) {
|
2020-10-08 10:45:17 +00:00
|
|
|
NL_SET_ERR_MSG_ATTR_POL(extack, nla, pt,
|
|
|
|
|
"invalid attribute length");
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 12:07:28 +00:00
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
2017-11-08 05:59:40 +00:00
|
|
|
}
|
|
|
|
|
|
2019-05-02 14:15:10 +00:00
|
|
|
if (validate & NL_VALIDATE_NESTED) {
|
|
|
|
|
if ((pt->type == NLA_NESTED || pt->type == NLA_NESTED_ARRAY) &&
|
|
|
|
|
!(nla->nla_type & NLA_F_NESTED)) {
|
2020-10-08 10:45:17 +00:00
|
|
|
NL_SET_ERR_MSG_ATTR_POL(extack, nla, pt,
|
|
|
|
|
"NLA_F_NESTED is missing");
|
2019-05-02 14:15:10 +00:00
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
if (pt->type != NLA_NESTED && pt->type != NLA_NESTED_ARRAY &&
|
|
|
|
|
pt->type != NLA_UNSPEC && (nla->nla_type & NLA_F_NESTED)) {
|
2020-10-08 10:45:17 +00:00
|
|
|
NL_SET_ERR_MSG_ATTR_POL(extack, nla, pt,
|
|
|
|
|
"NLA_F_NESTED not expected");
|
2019-05-02 14:15:10 +00:00
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2006-08-27 03:11:47 +00:00
|
|
|
switch (pt->type) {
|
2018-09-17 09:57:28 +00:00
|
|
|
case NLA_REJECT:
|
2020-04-30 20:13:05 +00:00
|
|
|
if (extack && pt->reject_message) {
|
2018-09-26 09:15:32 +00:00
|
|
|
NL_SET_BAD_ATTR(extack, nla);
|
2020-04-30 20:13:05 +00:00
|
|
|
extack->_msg = pt->reject_message;
|
2018-09-26 09:15:32 +00:00
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
err = -EINVAL;
|
|
|
|
|
goto out_err;
|
2018-09-17 09:57:28 +00:00
|
|
|
|
2006-08-27 03:11:47 +00:00
|
|
|
case NLA_FLAG:
|
|
|
|
|
if (attrlen > 0)
|
2018-09-26 09:15:32 +00:00
|
|
|
goto out_err;
|
2006-08-27 03:11:47 +00:00
|
|
|
break;
|
2005-11-10 01:25:51 +00:00
|
|
|
|
netlink: add variable-length / auto integers
We currently push everyone to use padding to align 64b values
in netlink. Un-padded nla_put_u64() doesn't even exist any more.
The story behind this possibly start with this thread:
https://lore.kernel.org/netdev/20121204.130914.1457976839967676240.davem@davemloft.net/
where DaveM was concerned about the alignment of a structure
containing 64b stats. If user space tries to access such struct
directly:
struct some_stats *stats = nla_data(attr);
printf("A: %llu", stats->a);
lack of alignment may become problematic for some architectures.
These days we most often put every single member in a separate
attribute, meaning that the code above would use a helper like
nla_get_u64(), which can deal with alignment internally.
Even for arches which don't have good unaligned access - access
aligned to 4B should be pretty efficient.
Kernel and well known libraries deal with unaligned input already.
Padded 64b is quite space-inefficient (64b + pad means at worst 16B
per attr vs 32b which takes 8B). It is also more typing:
if (nla_put_u64_pad(rsp, NETDEV_A_SOMETHING_SOMETHING,
value, NETDEV_A_SOMETHING_PAD))
Create a new attribute type which will use 32 bits at netlink
level if value is small enough (probably most of the time?),
and (4B-aligned) 64 bits otherwise. Kernel API is just:
if (nla_put_uint(rsp, NETDEV_A_SOMETHING_SOMETHING, value))
Calling this new type "just" sint / uint with no specific size
will hopefully also make people more comfortable with using it.
Currently telling people "don't use u8, you may need the bits,
and netlink will round up to 4B, anyway" is the #1 comment
we give to newcomers.
In terms of netlink layout it looks like this:
0 4 8 12 16
32b: [nlattr][ u32 ]
64b: [ pad ][nlattr][ u64 ]
uint(32) [nlattr][ u32 ]
uint(64) [nlattr][ u64 ]
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2023-10-18 21:39:20 +00:00
|
|
|
case NLA_SINT:
|
|
|
|
|
case NLA_UINT:
|
|
|
|
|
if (attrlen != sizeof(u32) && attrlen != sizeof(u64)) {
|
|
|
|
|
NL_SET_ERR_MSG_ATTR_POL(extack, nla, pt,
|
|
|
|
|
"invalid attribute length");
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
2017-07-30 17:24:49 +00:00
|
|
|
case NLA_BITFIELD32:
|
|
|
|
|
if (attrlen != sizeof(struct nla_bitfield32))
|
2018-09-26 09:15:32 +00:00
|
|
|
goto out_err;
|
2017-07-30 17:24:49 +00:00
|
|
|
|
2020-04-30 20:13:05 +00:00
|
|
|
err = validate_nla_bitfield32(nla, pt->bitfield32_valid);
|
2018-09-26 09:15:32 +00:00
|
|
|
if (err)
|
|
|
|
|
goto out_err;
|
|
|
|
|
break;
|
2017-07-30 17:24:49 +00:00
|
|
|
|
2006-08-27 03:11:47 +00:00
|
|
|
case NLA_NUL_STRING:
|
|
|
|
|
if (pt->len)
|
|
|
|
|
minlen = min_t(int, attrlen, pt->len + 1);
|
|
|
|
|
else
|
|
|
|
|
minlen = attrlen;
|
2005-11-10 01:25:51 +00:00
|
|
|
|
2018-09-26 09:15:32 +00:00
|
|
|
if (!minlen || memchr(nla_data(nla), '\0', minlen) == NULL) {
|
|
|
|
|
err = -EINVAL;
|
|
|
|
|
goto out_err;
|
|
|
|
|
}
|
2020-11-19 13:11:44 +00:00
|
|
|
fallthrough;
|
2006-08-27 03:11:47 +00:00
|
|
|
|
|
|
|
|
case NLA_STRING:
|
|
|
|
|
if (attrlen < 1)
|
2018-09-26 09:15:32 +00:00
|
|
|
goto out_err;
|
2006-08-27 03:11:47 +00:00
|
|
|
|
|
|
|
|
if (pt->len) {
|
|
|
|
|
char *buf = nla_data(nla);
|
|
|
|
|
|
|
|
|
|
if (buf[attrlen - 1] == '\0')
|
|
|
|
|
attrlen--;
|
|
|
|
|
|
|
|
|
|
if (attrlen > pt->len)
|
2018-09-26 09:15:32 +00:00
|
|
|
goto out_err;
|
2006-08-27 03:11:47 +00:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
2007-03-23 18:37:48 +00:00
|
|
|
case NLA_BINARY:
|
|
|
|
|
if (pt->len && attrlen > pt->len)
|
2018-09-26 09:15:32 +00:00
|
|
|
goto out_err;
|
2007-03-23 18:37:48 +00:00
|
|
|
break;
|
|
|
|
|
|
2008-11-28 11:05:19 +00:00
|
|
|
case NLA_NESTED:
|
|
|
|
|
/* a nested attributes is allowed to be empty; if its not,
|
|
|
|
|
* it must have a size of at least NLA_HDRLEN.
|
|
|
|
|
*/
|
|
|
|
|
if (attrlen == 0)
|
|
|
|
|
break;
|
2018-09-26 09:15:33 +00:00
|
|
|
if (attrlen < NLA_HDRLEN)
|
|
|
|
|
goto out_err;
|
2020-04-30 20:13:05 +00:00
|
|
|
if (pt->nested_policy) {
|
2020-04-30 20:13:06 +00:00
|
|
|
err = __nla_validate_parse(nla_data(nla), nla_len(nla),
|
|
|
|
|
pt->len, pt->nested_policy,
|
|
|
|
|
validate, extack, NULL,
|
|
|
|
|
depth + 1);
|
2018-09-26 09:15:33 +00:00
|
|
|
if (err < 0) {
|
|
|
|
|
/*
|
|
|
|
|
* return directly to preserve the inner
|
|
|
|
|
* error message/attribute pointer
|
|
|
|
|
*/
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
break;
|
2018-09-26 09:15:34 +00:00
|
|
|
case NLA_NESTED_ARRAY:
|
|
|
|
|
/* a nested array attribute is allowed to be empty; if its not,
|
|
|
|
|
* it must have a size of at least NLA_HDRLEN.
|
|
|
|
|
*/
|
|
|
|
|
if (attrlen == 0)
|
|
|
|
|
break;
|
|
|
|
|
if (attrlen < NLA_HDRLEN)
|
|
|
|
|
goto out_err;
|
2020-04-30 20:13:05 +00:00
|
|
|
if (pt->nested_policy) {
|
2018-09-26 09:15:34 +00:00
|
|
|
int err;
|
|
|
|
|
|
|
|
|
|
err = nla_validate_array(nla_data(nla), nla_len(nla),
|
2020-04-30 20:13:05 +00:00
|
|
|
pt->len, pt->nested_policy,
|
2020-04-30 20:13:06 +00:00
|
|
|
extack, validate, depth);
|
2018-09-26 09:15:34 +00:00
|
|
|
if (err < 0) {
|
|
|
|
|
/*
|
|
|
|
|
* return directly to preserve the inner
|
|
|
|
|
* error message/attribute pointer
|
|
|
|
|
*/
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
break;
|
2019-04-26 12:07:27 +00:00
|
|
|
|
|
|
|
|
case NLA_UNSPEC:
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 12:07:28 +00:00
|
|
|
if (validate & NL_VALIDATE_UNSPEC) {
|
|
|
|
|
NL_SET_ERR_MSG_ATTR(extack, nla,
|
|
|
|
|
"Unsupported attribute");
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
2019-04-26 12:07:27 +00:00
|
|
|
if (attrlen < pt->len)
|
|
|
|
|
goto out_err;
|
|
|
|
|
break;
|
|
|
|
|
|
2006-08-27 03:11:47 +00:00
|
|
|
default:
|
|
|
|
|
if (pt->len)
|
|
|
|
|
minlen = pt->len;
|
2019-04-26 12:07:27 +00:00
|
|
|
else
|
2006-08-27 03:11:47 +00:00
|
|
|
minlen = nla_attr_minlen[pt->type];
|
|
|
|
|
|
|
|
|
|
if (attrlen < minlen)
|
2018-09-26 09:15:32 +00:00
|
|
|
goto out_err;
|
2006-08-27 03:11:47 +00:00
|
|
|
}
|
2005-11-10 01:25:51 +00:00
|
|
|
|
netlink: add attribute range validation to policy
Without further bloating the policy structs, we can overload
the `validation_data' pointer with a struct of s16 min, max
and use those to validate ranges in NLA_{U,S}{8,16,32,64}
attributes.
It may sound strange to validate NLA_U32 with a s16 max, but
in many cases NLA_U32 is used for enums etc. since there's no
size benefit in using a smaller attribute width anyway, due
to netlink attribute alignment; in cases like that it's still
useful, particularly when the attribute really transports an
enum value.
Doing so lets us remove quite a bit of validation code, if we
can be sure that these attributes aren't used by userspace in
places where they're ignored today.
To achieve all this, split the 'type' field and introduce a
new 'validation_type' field which indicates what further
validation (beyond the validation prescribed by the type of
the attribute) is done. This currently allows for no further
validation (the default), as well as min, max and range checks.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-27 09:28:35 +00:00
|
|
|
/* further validation */
|
|
|
|
|
switch (pt->validation_type) {
|
|
|
|
|
case NLA_VALIDATE_NONE:
|
|
|
|
|
/* nothing to do */
|
|
|
|
|
break;
|
2020-04-30 20:13:08 +00:00
|
|
|
case NLA_VALIDATE_RANGE_PTR:
|
netlink: add attribute range validation to policy
Without further bloating the policy structs, we can overload
the `validation_data' pointer with a struct of s16 min, max
and use those to validate ranges in NLA_{U,S}{8,16,32,64}
attributes.
It may sound strange to validate NLA_U32 with a s16 max, but
in many cases NLA_U32 is used for enums etc. since there's no
size benefit in using a smaller attribute width anyway, due
to netlink attribute alignment; in cases like that it's still
useful, particularly when the attribute really transports an
enum value.
Doing so lets us remove quite a bit of validation code, if we
can be sure that these attributes aren't used by userspace in
places where they're ignored today.
To achieve all this, split the 'type' field and introduce a
new 'validation_type' field which indicates what further
validation (beyond the validation prescribed by the type of
the attribute) is done. This currently allows for no further
validation (the default), as well as min, max and range checks.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-27 09:28:35 +00:00
|
|
|
case NLA_VALIDATE_RANGE:
|
netlink: make NLA_BINARY validation more flexible
Add range validation for NLA_BINARY, allowing validation of any
combination of combination minimum or maximum lengths, using the
existing NLA_POLICY_RANGE()/NLA_POLICY_FULL_RANGE() macros, just
like for integers where the value is checked.
Also make NLA_POLICY_EXACT_LEN(), NLA_POLICY_EXACT_LEN_WARN()
and NLA_POLICY_MIN_LEN() special cases of this, removing the old
types NLA_EXACT_LEN and NLA_MIN_LEN.
This allows us to save some code where both minimum and maximum
lengths are requires, currently the policy only allows maximum
(NLA_BINARY), minimum (NLA_MIN_LEN) or exact (NLA_EXACT_LEN), so
a range of lengths cannot be accepted and must be checked by the
code that consumes the attributes later.
Also, this allows advertising the correct ranges in the policy
export to userspace. Here, NLA_MIN_LEN and NLA_EXACT_LEN already
were special cases of NLA_BINARY with min and min/max length
respectively.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-08-18 08:17:33 +00:00
|
|
|
case NLA_VALIDATE_RANGE_WARN_TOO_LONG:
|
netlink: add attribute range validation to policy
Without further bloating the policy structs, we can overload
the `validation_data' pointer with a struct of s16 min, max
and use those to validate ranges in NLA_{U,S}{8,16,32,64}
attributes.
It may sound strange to validate NLA_U32 with a s16 max, but
in many cases NLA_U32 is used for enums etc. since there's no
size benefit in using a smaller attribute width anyway, due
to netlink attribute alignment; in cases like that it's still
useful, particularly when the attribute really transports an
enum value.
Doing so lets us remove quite a bit of validation code, if we
can be sure that these attributes aren't used by userspace in
places where they're ignored today.
To achieve all this, split the 'type' field and introduce a
new 'validation_type' field which indicates what further
validation (beyond the validation prescribed by the type of
the attribute) is done. This currently allows for no further
validation (the default), as well as min, max and range checks.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-27 09:28:35 +00:00
|
|
|
case NLA_VALIDATE_MIN:
|
|
|
|
|
case NLA_VALIDATE_MAX:
|
netlink: make NLA_BINARY validation more flexible
Add range validation for NLA_BINARY, allowing validation of any
combination of combination minimum or maximum lengths, using the
existing NLA_POLICY_RANGE()/NLA_POLICY_FULL_RANGE() macros, just
like for integers where the value is checked.
Also make NLA_POLICY_EXACT_LEN(), NLA_POLICY_EXACT_LEN_WARN()
and NLA_POLICY_MIN_LEN() special cases of this, removing the old
types NLA_EXACT_LEN and NLA_MIN_LEN.
This allows us to save some code where both minimum and maximum
lengths are requires, currently the policy only allows maximum
(NLA_BINARY), minimum (NLA_MIN_LEN) or exact (NLA_EXACT_LEN), so
a range of lengths cannot be accepted and must be checked by the
code that consumes the attributes later.
Also, this allows advertising the correct ranges in the policy
export to userspace. Here, NLA_MIN_LEN and NLA_EXACT_LEN already
were special cases of NLA_BINARY with min and min/max length
respectively.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-08-18 08:17:33 +00:00
|
|
|
err = nla_validate_int_range(pt, nla, extack, validate);
|
netlink: add attribute range validation to policy
Without further bloating the policy structs, we can overload
the `validation_data' pointer with a struct of s16 min, max
and use those to validate ranges in NLA_{U,S}{8,16,32,64}
attributes.
It may sound strange to validate NLA_U32 with a s16 max, but
in many cases NLA_U32 is used for enums etc. since there's no
size benefit in using a smaller attribute width anyway, due
to netlink attribute alignment; in cases like that it's still
useful, particularly when the attribute really transports an
enum value.
Doing so lets us remove quite a bit of validation code, if we
can be sure that these attributes aren't used by userspace in
places where they're ignored today.
To achieve all this, split the 'type' field and introduce a
new 'validation_type' field which indicates what further
validation (beyond the validation prescribed by the type of
the attribute) is done. This currently allows for no further
validation (the default), as well as min, max and range checks.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-27 09:28:35 +00:00
|
|
|
if (err)
|
|
|
|
|
return err;
|
|
|
|
|
break;
|
2020-10-05 22:07:38 +00:00
|
|
|
case NLA_VALIDATE_MASK:
|
|
|
|
|
err = nla_validate_mask(pt, nla, extack);
|
|
|
|
|
if (err)
|
|
|
|
|
return err;
|
|
|
|
|
break;
|
2018-09-27 09:28:36 +00:00
|
|
|
case NLA_VALIDATE_FUNCTION:
|
|
|
|
|
if (pt->validate) {
|
|
|
|
|
err = pt->validate(nla, extack);
|
|
|
|
|
if (err)
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
break;
|
netlink: add attribute range validation to policy
Without further bloating the policy structs, we can overload
the `validation_data' pointer with a struct of s16 min, max
and use those to validate ranges in NLA_{U,S}{8,16,32,64}
attributes.
It may sound strange to validate NLA_U32 with a s16 max, but
in many cases NLA_U32 is used for enums etc. since there's no
size benefit in using a smaller attribute width anyway, due
to netlink attribute alignment; in cases like that it's still
useful, particularly when the attribute really transports an
enum value.
Doing so lets us remove quite a bit of validation code, if we
can be sure that these attributes aren't used by userspace in
places where they're ignored today.
To achieve all this, split the 'type' field and introduce a
new 'validation_type' field which indicates what further
validation (beyond the validation prescribed by the type of
the attribute) is done. This currently allows for no further
validation (the default), as well as min, max and range checks.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-27 09:28:35 +00:00
|
|
|
}
|
|
|
|
|
|
2005-11-10 01:25:51 +00:00
|
|
|
return 0;
|
2018-09-26 09:15:32 +00:00
|
|
|
out_err:
|
2020-10-08 10:45:17 +00:00
|
|
|
NL_SET_ERR_MSG_ATTR_POL(extack, nla, pt,
|
|
|
|
|
"Attribute failed policy validation");
|
2018-09-26 09:15:32 +00:00
|
|
|
return err;
|
2005-11-10 01:25:51 +00:00
|
|
|
}
|
|
|
|
|
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 12:07:28 +00:00
|
|
|
static int __nla_validate_parse(const struct nlattr *head, int len, int maxtype,
|
|
|
|
|
const struct nla_policy *policy,
|
|
|
|
|
unsigned int validate,
|
|
|
|
|
struct netlink_ext_ack *extack,
|
2020-04-30 20:13:06 +00:00
|
|
|
struct nlattr **tb, unsigned int depth)
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 12:07:28 +00:00
|
|
|
{
|
|
|
|
|
const struct nlattr *nla;
|
|
|
|
|
int rem;
|
|
|
|
|
|
2020-04-30 20:13:06 +00:00
|
|
|
if (depth >= MAX_POLICY_RECURSION_DEPTH) {
|
|
|
|
|
NL_SET_ERR_MSG(extack,
|
|
|
|
|
"allowed policy recursion depth exceeded");
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 12:07:28 +00:00
|
|
|
if (tb)
|
|
|
|
|
memset(tb, 0, sizeof(struct nlattr *) * (maxtype + 1));
|
|
|
|
|
|
|
|
|
|
nla_for_each_attr(nla, head, len, rem) {
|
|
|
|
|
u16 type = nla_type(nla);
|
|
|
|
|
|
|
|
|
|
if (type == 0 || type > maxtype) {
|
|
|
|
|
if (validate & NL_VALIDATE_MAXTYPE) {
|
2019-05-02 14:15:10 +00:00
|
|
|
NL_SET_ERR_MSG_ATTR(extack, nla,
|
|
|
|
|
"Unknown attribute type");
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 12:07:28 +00:00
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2023-01-19 11:01:50 +00:00
|
|
|
type = array_index_nospec(type, maxtype + 1);
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 12:07:28 +00:00
|
|
|
if (policy) {
|
|
|
|
|
int err = validate_nla(nla, maxtype, policy,
|
2020-04-30 20:13:06 +00:00
|
|
|
validate, extack, depth);
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 12:07:28 +00:00
|
|
|
|
|
|
|
|
if (err < 0)
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (tb)
|
|
|
|
|
tb[type] = (struct nlattr *)nla;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (unlikely(rem > 0)) {
|
|
|
|
|
pr_warn_ratelimited("netlink: %d bytes leftover after parsing attributes in process `%s'.\n",
|
|
|
|
|
rem, current->comm);
|
|
|
|
|
NL_SET_ERR_MSG(extack, "bytes leftover after parsing attributes");
|
|
|
|
|
if (validate & NL_VALIDATE_TRAILING)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2005-11-10 01:25:51 +00:00
|
|
|
/**
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 12:07:28 +00:00
|
|
|
* __nla_validate - Validate a stream of attributes
|
2005-11-10 01:25:51 +00:00
|
|
|
* @head: head of attribute stream
|
|
|
|
|
* @len: length of attribute stream
|
|
|
|
|
* @maxtype: maximum attribute type to be expected
|
|
|
|
|
* @policy: validation policy
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 12:07:28 +00:00
|
|
|
* @validate: validation strictness
|
2017-04-12 12:34:07 +00:00
|
|
|
* @extack: extended ACK report struct
|
2005-11-10 01:25:51 +00:00
|
|
|
*
|
|
|
|
|
* Validates all attributes in the specified attribute stream against the
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 12:07:28 +00:00
|
|
|
* specified policy. Validation depends on the validate flags passed, see
|
|
|
|
|
* &enum netlink_validation for more details on that.
|
2021-07-08 01:07:31 +00:00
|
|
|
* See documentation of struct nla_policy for more details.
|
2005-11-10 01:25:51 +00:00
|
|
|
*
|
|
|
|
|
* Returns 0 on success or a negative error code.
|
|
|
|
|
*/
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 12:07:28 +00:00
|
|
|
int __nla_validate(const struct nlattr *head, int len, int maxtype,
|
|
|
|
|
const struct nla_policy *policy, unsigned int validate,
|
|
|
|
|
struct netlink_ext_ack *extack)
|
2005-11-10 01:25:51 +00:00
|
|
|
{
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 12:07:28 +00:00
|
|
|
return __nla_validate_parse(head, len, maxtype, policy, validate,
|
2020-04-30 20:13:06 +00:00
|
|
|
extack, NULL, 0);
|
2005-11-10 01:25:51 +00:00
|
|
|
}
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 12:07:28 +00:00
|
|
|
EXPORT_SYMBOL(__nla_validate);
|
2005-11-10 01:25:51 +00:00
|
|
|
|
2009-03-25 17:26:30 +00:00
|
|
|
/**
|
2021-07-08 01:07:31 +00:00
|
|
|
* nla_policy_len - Determine the max. length of a policy
|
2022-11-07 06:26:23 +00:00
|
|
|
* @p: policy to use
|
2009-03-25 17:26:30 +00:00
|
|
|
* @n: number of policies
|
|
|
|
|
*
|
|
|
|
|
* Determines the max. length of the policy. It is currently used
|
|
|
|
|
* to allocated Netlink buffers roughly the size of the actual
|
|
|
|
|
* message.
|
|
|
|
|
*
|
|
|
|
|
* Returns 0 on success or a negative error code.
|
|
|
|
|
*/
|
|
|
|
|
int
|
|
|
|
|
nla_policy_len(const struct nla_policy *p, int n)
|
|
|
|
|
{
|
|
|
|
|
int i, len = 0;
|
|
|
|
|
|
2011-02-28 20:38:25 +00:00
|
|
|
for (i = 0; i < n; i++, p++) {
|
2009-03-25 17:26:30 +00:00
|
|
|
if (p->len)
|
|
|
|
|
len += nla_total_size(p->len);
|
2017-11-08 05:59:40 +00:00
|
|
|
else if (nla_attr_len[p->type])
|
|
|
|
|
len += nla_total_size(nla_attr_len[p->type]);
|
2009-03-25 17:26:30 +00:00
|
|
|
else if (nla_attr_minlen[p->type])
|
|
|
|
|
len += nla_total_size(nla_attr_minlen[p->type]);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return len;
|
|
|
|
|
}
|
2014-06-04 23:11:57 +00:00
|
|
|
EXPORT_SYMBOL(nla_policy_len);
|
2009-03-25 17:26:30 +00:00
|
|
|
|
2005-11-10 01:25:51 +00:00
|
|
|
/**
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 12:07:28 +00:00
|
|
|
* __nla_parse - Parse a stream of attributes into a tb buffer
|
2005-11-10 01:25:51 +00:00
|
|
|
* @tb: destination array with maxtype+1 elements
|
|
|
|
|
* @maxtype: maximum attribute type to be expected
|
|
|
|
|
* @head: head of attribute stream
|
|
|
|
|
* @len: length of attribute stream
|
2008-06-28 03:02:14 +00:00
|
|
|
* @policy: validation policy
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 12:07:28 +00:00
|
|
|
* @validate: validation strictness
|
|
|
|
|
* @extack: extended ACK pointer
|
2005-11-10 01:25:51 +00:00
|
|
|
*
|
|
|
|
|
* Parses a stream of attributes and stores a pointer to each attribute in
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 12:07:28 +00:00
|
|
|
* the tb array accessible via the attribute type.
|
|
|
|
|
* Validation is controlled by the @validate parameter.
|
2005-11-10 01:25:51 +00:00
|
|
|
*
|
|
|
|
|
* Returns 0 on success or a negative error code.
|
|
|
|
|
*/
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 12:07:28 +00:00
|
|
|
int __nla_parse(struct nlattr **tb, int maxtype,
|
|
|
|
|
const struct nlattr *head, int len,
|
|
|
|
|
const struct nla_policy *policy, unsigned int validate,
|
|
|
|
|
struct netlink_ext_ack *extack)
|
2018-10-08 03:16:25 +00:00
|
|
|
{
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 12:07:28 +00:00
|
|
|
return __nla_validate_parse(head, len, maxtype, policy, validate,
|
2020-04-30 20:13:06 +00:00
|
|
|
extack, tb, 0);
|
2018-10-08 03:16:25 +00:00
|
|
|
}
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 12:07:28 +00:00
|
|
|
EXPORT_SYMBOL(__nla_parse);
|
2018-10-08 03:16:25 +00:00
|
|
|
|
2005-11-10 01:25:51 +00:00
|
|
|
/**
|
|
|
|
|
* nla_find - Find a specific attribute in a stream of attributes
|
|
|
|
|
* @head: head of attribute stream
|
|
|
|
|
* @len: length of attribute stream
|
|
|
|
|
* @attrtype: type of attribute to look for
|
|
|
|
|
*
|
|
|
|
|
* Returns the first attribute in the stream matching the specified type.
|
|
|
|
|
*/
|
2010-11-16 17:52:32 +00:00
|
|
|
struct nlattr *nla_find(const struct nlattr *head, int len, int attrtype)
|
2005-11-10 01:25:51 +00:00
|
|
|
{
|
2010-11-16 17:52:32 +00:00
|
|
|
const struct nlattr *nla;
|
2005-11-10 01:25:51 +00:00
|
|
|
int rem;
|
|
|
|
|
|
|
|
|
|
nla_for_each_attr(nla, head, len, rem)
|
2007-09-12 12:44:36 +00:00
|
|
|
if (nla_type(nla) == attrtype)
|
2010-11-16 17:52:32 +00:00
|
|
|
return (struct nlattr *)nla;
|
2005-11-10 01:25:51 +00:00
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
2014-06-04 23:11:57 +00:00
|
|
|
EXPORT_SYMBOL(nla_find);
|
2005-11-10 01:25:51 +00:00
|
|
|
|
|
|
|
|
/**
|
2020-11-15 17:08:06 +00:00
|
|
|
* nla_strscpy - Copy string attribute payload into a sized buffer
|
2020-11-15 17:08:05 +00:00
|
|
|
* @dst: Where to copy the string to.
|
|
|
|
|
* @nla: Attribute to copy the string from.
|
|
|
|
|
* @dstsize: Size of destination buffer.
|
2005-11-10 01:25:51 +00:00
|
|
|
*
|
|
|
|
|
* Copies at most dstsize - 1 bytes into the destination buffer.
|
2024-01-18 20:31:55 +00:00
|
|
|
* Unlike strscpy() the destination buffer is always padded out.
|
2005-11-10 01:25:51 +00:00
|
|
|
*
|
2020-11-15 17:08:05 +00:00
|
|
|
* Return:
|
|
|
|
|
* * srclen - Returns @nla length (not including the trailing %NUL).
|
|
|
|
|
* * -E2BIG - If @dstsize is 0 or greater than U16_MAX or @nla length greater
|
|
|
|
|
* than @dstsize.
|
2005-11-10 01:25:51 +00:00
|
|
|
*/
|
2020-11-15 17:08:06 +00:00
|
|
|
ssize_t nla_strscpy(char *dst, const struct nlattr *nla, size_t dstsize)
|
2005-11-10 01:25:51 +00:00
|
|
|
{
|
|
|
|
|
size_t srclen = nla_len(nla);
|
|
|
|
|
char *src = nla_data(nla);
|
2020-11-15 17:08:05 +00:00
|
|
|
ssize_t ret;
|
|
|
|
|
size_t len;
|
|
|
|
|
|
|
|
|
|
if (dstsize == 0 || WARN_ON_ONCE(dstsize > U16_MAX))
|
|
|
|
|
return -E2BIG;
|
2005-11-10 01:25:51 +00:00
|
|
|
|
|
|
|
|
if (srclen > 0 && src[srclen - 1] == '\0')
|
|
|
|
|
srclen--;
|
|
|
|
|
|
2020-11-15 17:08:05 +00:00
|
|
|
if (srclen >= dstsize) {
|
|
|
|
|
len = dstsize - 1;
|
|
|
|
|
ret = -E2BIG;
|
|
|
|
|
} else {
|
|
|
|
|
len = srclen;
|
|
|
|
|
ret = len;
|
2005-11-10 01:25:51 +00:00
|
|
|
}
|
|
|
|
|
|
2020-11-15 17:08:05 +00:00
|
|
|
memcpy(dst, src, len);
|
|
|
|
|
/* Zero pad end of dst. */
|
|
|
|
|
memset(dst + len, 0, dstsize - len);
|
|
|
|
|
|
|
|
|
|
return ret;
|
2005-11-10 01:25:51 +00:00
|
|
|
}
|
2020-11-15 17:08:06 +00:00
|
|
|
EXPORT_SYMBOL(nla_strscpy);
|
2005-11-10 01:25:51 +00:00
|
|
|
|
2017-07-27 14:56:40 +00:00
|
|
|
/**
|
|
|
|
|
* nla_strdup - Copy string attribute payload into a newly allocated buffer
|
|
|
|
|
* @nla: attribute to copy the string from
|
|
|
|
|
* @flags: the type of memory to allocate (see kmalloc).
|
|
|
|
|
*
|
|
|
|
|
* Returns a pointer to the allocated buffer or NULL on error.
|
|
|
|
|
*/
|
|
|
|
|
char *nla_strdup(const struct nlattr *nla, gfp_t flags)
|
|
|
|
|
{
|
|
|
|
|
size_t srclen = nla_len(nla);
|
|
|
|
|
char *src = nla_data(nla), *dst;
|
|
|
|
|
|
|
|
|
|
if (srclen > 0 && src[srclen - 1] == '\0')
|
|
|
|
|
srclen--;
|
|
|
|
|
|
|
|
|
|
dst = kmalloc(srclen + 1, flags);
|
|
|
|
|
if (dst != NULL) {
|
|
|
|
|
memcpy(dst, src, srclen);
|
|
|
|
|
dst[srclen] = '\0';
|
|
|
|
|
}
|
|
|
|
|
return dst;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(nla_strdup);
|
|
|
|
|
|
2005-11-10 01:25:51 +00:00
|
|
|
/**
|
|
|
|
|
* nla_memcpy - Copy a netlink attribute into another memory area
|
|
|
|
|
* @dest: where to copy to memcpy
|
|
|
|
|
* @src: netlink attribute to copy from
|
|
|
|
|
* @count: size of the destination area
|
|
|
|
|
*
|
|
|
|
|
* Note: The number of bytes copied is limited by the length of
|
|
|
|
|
* attribute's payload. memcpy
|
|
|
|
|
*
|
|
|
|
|
* Returns the number of bytes copied.
|
|
|
|
|
*/
|
2008-10-28 18:59:11 +00:00
|
|
|
int nla_memcpy(void *dest, const struct nlattr *src, int count)
|
2005-11-10 01:25:51 +00:00
|
|
|
{
|
|
|
|
|
int minlen = min_t(int, count, nla_len(src));
|
|
|
|
|
|
|
|
|
|
memcpy(dest, nla_data(src), minlen);
|
2015-03-29 14:05:28 +00:00
|
|
|
if (count > minlen)
|
|
|
|
|
memset(dest + minlen, 0, count - minlen);
|
2005-11-10 01:25:51 +00:00
|
|
|
|
|
|
|
|
return minlen;
|
|
|
|
|
}
|
2014-06-04 23:11:57 +00:00
|
|
|
EXPORT_SYMBOL(nla_memcpy);
|
2005-11-10 01:25:51 +00:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* nla_memcmp - Compare an attribute with sized memory area
|
|
|
|
|
* @nla: netlink attribute
|
|
|
|
|
* @data: memory area
|
|
|
|
|
* @size: size of memory area
|
|
|
|
|
*/
|
|
|
|
|
int nla_memcmp(const struct nlattr *nla, const void *data,
|
|
|
|
|
size_t size)
|
|
|
|
|
{
|
|
|
|
|
int d = nla_len(nla) - size;
|
|
|
|
|
|
|
|
|
|
if (d == 0)
|
|
|
|
|
d = memcmp(nla_data(nla), data, size);
|
|
|
|
|
|
|
|
|
|
return d;
|
|
|
|
|
}
|
2014-06-04 23:11:57 +00:00
|
|
|
EXPORT_SYMBOL(nla_memcmp);
|
2005-11-10 01:25:51 +00:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* nla_strcmp - Compare a string attribute against a string
|
|
|
|
|
* @nla: netlink string attribute
|
|
|
|
|
* @str: another string
|
|
|
|
|
*/
|
|
|
|
|
int nla_strcmp(const struct nlattr *nla, const char *str)
|
|
|
|
|
{
|
2014-04-01 17:38:44 +00:00
|
|
|
int len = strlen(str);
|
|
|
|
|
char *buf = nla_data(nla);
|
|
|
|
|
int attrlen = nla_len(nla);
|
|
|
|
|
int d;
|
2005-11-10 01:25:51 +00:00
|
|
|
|
2021-05-05 16:58:31 +00:00
|
|
|
while (attrlen > 0 && buf[attrlen - 1] == '\0')
|
2014-04-01 17:38:44 +00:00
|
|
|
attrlen--;
|
|
|
|
|
|
|
|
|
|
d = attrlen - len;
|
2005-11-10 01:25:51 +00:00
|
|
|
if (d == 0)
|
|
|
|
|
d = memcmp(nla_data(nla), str, len);
|
|
|
|
|
|
|
|
|
|
return d;
|
|
|
|
|
}
|
2014-06-04 23:11:57 +00:00
|
|
|
EXPORT_SYMBOL(nla_strcmp);
|
2005-11-10 01:25:51 +00:00
|
|
|
|
2009-03-11 15:18:32 +00:00
|
|
|
#ifdef CONFIG_NET
|
2005-11-10 01:25:51 +00:00
|
|
|
/**
|
|
|
|
|
* __nla_reserve - reserve room for attribute on the skb
|
|
|
|
|
* @skb: socket buffer to reserve room on
|
|
|
|
|
* @attrtype: attribute type
|
|
|
|
|
* @attrlen: length of attribute payload
|
|
|
|
|
*
|
|
|
|
|
* Adds a netlink attribute header to a socket buffer and reserves
|
|
|
|
|
* room for the payload but does not copy it.
|
|
|
|
|
*
|
|
|
|
|
* The caller is responsible to ensure that the skb provides enough
|
|
|
|
|
* tailroom for the attribute header and payload.
|
|
|
|
|
*/
|
|
|
|
|
struct nlattr *__nla_reserve(struct sk_buff *skb, int attrtype, int attrlen)
|
|
|
|
|
{
|
|
|
|
|
struct nlattr *nla;
|
|
|
|
|
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
nla = skb_put(skb, nla_total_size(attrlen));
|
2005-11-10 01:25:51 +00:00
|
|
|
nla->nla_type = attrtype;
|
|
|
|
|
nla->nla_len = nla_attr_size(attrlen);
|
|
|
|
|
|
|
|
|
|
memset((unsigned char *) nla + nla->nla_len, 0, nla_padlen(attrlen));
|
|
|
|
|
|
|
|
|
|
return nla;
|
|
|
|
|
}
|
2009-03-11 15:18:32 +00:00
|
|
|
EXPORT_SYMBOL(__nla_reserve);
|
2005-11-10 01:25:51 +00:00
|
|
|
|
2016-04-21 16:58:24 +00:00
|
|
|
/**
|
|
|
|
|
* __nla_reserve_64bit - reserve room for attribute on the skb and align it
|
|
|
|
|
* @skb: socket buffer to reserve room on
|
|
|
|
|
* @attrtype: attribute type
|
|
|
|
|
* @attrlen: length of attribute payload
|
2016-04-22 15:31:16 +00:00
|
|
|
* @padattr: attribute type for the padding
|
2016-04-21 16:58:24 +00:00
|
|
|
*
|
|
|
|
|
* Adds a netlink attribute header to a socket buffer and reserves
|
|
|
|
|
* room for the payload but does not copy it. It also ensure that this
|
2016-04-22 15:31:16 +00:00
|
|
|
* attribute will have a 64-bit aligned nla_data() area.
|
2016-04-21 16:58:24 +00:00
|
|
|
*
|
|
|
|
|
* The caller is responsible to ensure that the skb provides enough
|
|
|
|
|
* tailroom for the attribute header and payload.
|
|
|
|
|
*/
|
|
|
|
|
struct nlattr *__nla_reserve_64bit(struct sk_buff *skb, int attrtype,
|
|
|
|
|
int attrlen, int padattr)
|
|
|
|
|
{
|
2020-08-25 03:25:17 +00:00
|
|
|
nla_align_64bit(skb, padattr);
|
2016-04-21 16:58:24 +00:00
|
|
|
|
|
|
|
|
return __nla_reserve(skb, attrtype, attrlen);
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(__nla_reserve_64bit);
|
|
|
|
|
|
2006-08-05 06:03:05 +00:00
|
|
|
/**
|
|
|
|
|
* __nla_reserve_nohdr - reserve room for attribute without header
|
|
|
|
|
* @skb: socket buffer to reserve room on
|
|
|
|
|
* @attrlen: length of attribute payload
|
|
|
|
|
*
|
|
|
|
|
* Reserves room for attribute payload without a header.
|
|
|
|
|
*
|
|
|
|
|
* The caller is responsible to ensure that the skb provides enough
|
|
|
|
|
* tailroom for the payload.
|
|
|
|
|
*/
|
|
|
|
|
void *__nla_reserve_nohdr(struct sk_buff *skb, int attrlen)
|
|
|
|
|
{
|
2017-06-18 14:52:04 +00:00
|
|
|
return skb_put_zero(skb, NLA_ALIGN(attrlen));
|
2006-08-05 06:03:05 +00:00
|
|
|
}
|
2009-03-11 15:18:32 +00:00
|
|
|
EXPORT_SYMBOL(__nla_reserve_nohdr);
|
2006-08-05 06:03:05 +00:00
|
|
|
|
2005-11-10 01:25:51 +00:00
|
|
|
/**
|
|
|
|
|
* nla_reserve - reserve room for attribute on the skb
|
|
|
|
|
* @skb: socket buffer to reserve room on
|
|
|
|
|
* @attrtype: attribute type
|
|
|
|
|
* @attrlen: length of attribute payload
|
|
|
|
|
*
|
|
|
|
|
* Adds a netlink attribute header to a socket buffer and reserves
|
|
|
|
|
* room for the payload but does not copy it.
|
|
|
|
|
*
|
|
|
|
|
* Returns NULL if the tailroom of the skb is insufficient to store
|
|
|
|
|
* the attribute header and payload.
|
|
|
|
|
*/
|
|
|
|
|
struct nlattr *nla_reserve(struct sk_buff *skb, int attrtype, int attrlen)
|
|
|
|
|
{
|
|
|
|
|
if (unlikely(skb_tailroom(skb) < nla_total_size(attrlen)))
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
return __nla_reserve(skb, attrtype, attrlen);
|
|
|
|
|
}
|
2009-03-11 15:18:32 +00:00
|
|
|
EXPORT_SYMBOL(nla_reserve);
|
2005-11-10 01:25:51 +00:00
|
|
|
|
2016-04-21 16:58:24 +00:00
|
|
|
/**
|
|
|
|
|
* nla_reserve_64bit - reserve room for attribute on the skb and align it
|
|
|
|
|
* @skb: socket buffer to reserve room on
|
|
|
|
|
* @attrtype: attribute type
|
|
|
|
|
* @attrlen: length of attribute payload
|
2016-04-22 15:31:16 +00:00
|
|
|
* @padattr: attribute type for the padding
|
2016-04-21 16:58:24 +00:00
|
|
|
*
|
|
|
|
|
* Adds a netlink attribute header to a socket buffer and reserves
|
|
|
|
|
* room for the payload but does not copy it. It also ensure that this
|
2016-04-22 15:31:16 +00:00
|
|
|
* attribute will have a 64-bit aligned nla_data() area.
|
2016-04-21 16:58:24 +00:00
|
|
|
*
|
|
|
|
|
* Returns NULL if the tailroom of the skb is insufficient to store
|
|
|
|
|
* the attribute header and payload.
|
|
|
|
|
*/
|
|
|
|
|
struct nlattr *nla_reserve_64bit(struct sk_buff *skb, int attrtype, int attrlen,
|
|
|
|
|
int padattr)
|
|
|
|
|
{
|
|
|
|
|
size_t len;
|
|
|
|
|
|
|
|
|
|
if (nla_need_padding_for_64bit(skb))
|
|
|
|
|
len = nla_total_size_64bit(attrlen);
|
|
|
|
|
else
|
|
|
|
|
len = nla_total_size(attrlen);
|
|
|
|
|
if (unlikely(skb_tailroom(skb) < len))
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
return __nla_reserve_64bit(skb, attrtype, attrlen, padattr);
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(nla_reserve_64bit);
|
|
|
|
|
|
2006-08-05 06:03:05 +00:00
|
|
|
/**
|
2008-06-28 03:02:14 +00:00
|
|
|
* nla_reserve_nohdr - reserve room for attribute without header
|
2006-08-05 06:03:05 +00:00
|
|
|
* @skb: socket buffer to reserve room on
|
2008-06-28 03:02:14 +00:00
|
|
|
* @attrlen: length of attribute payload
|
2006-08-05 06:03:05 +00:00
|
|
|
*
|
|
|
|
|
* Reserves room for attribute payload without a header.
|
|
|
|
|
*
|
|
|
|
|
* Returns NULL if the tailroom of the skb is insufficient to store
|
|
|
|
|
* the attribute payload.
|
|
|
|
|
*/
|
|
|
|
|
void *nla_reserve_nohdr(struct sk_buff *skb, int attrlen)
|
|
|
|
|
{
|
|
|
|
|
if (unlikely(skb_tailroom(skb) < NLA_ALIGN(attrlen)))
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
return __nla_reserve_nohdr(skb, attrlen);
|
|
|
|
|
}
|
2009-03-11 15:18:32 +00:00
|
|
|
EXPORT_SYMBOL(nla_reserve_nohdr);
|
2006-08-05 06:03:05 +00:00
|
|
|
|
2005-11-10 01:25:51 +00:00
|
|
|
/**
|
|
|
|
|
* __nla_put - Add a netlink attribute to a socket buffer
|
|
|
|
|
* @skb: socket buffer to add attribute to
|
|
|
|
|
* @attrtype: attribute type
|
|
|
|
|
* @attrlen: length of attribute payload
|
|
|
|
|
* @data: head of attribute payload
|
|
|
|
|
*
|
|
|
|
|
* The caller is responsible to ensure that the skb provides enough
|
|
|
|
|
* tailroom for the attribute header and payload.
|
|
|
|
|
*/
|
|
|
|
|
void __nla_put(struct sk_buff *skb, int attrtype, int attrlen,
|
|
|
|
|
const void *data)
|
|
|
|
|
{
|
|
|
|
|
struct nlattr *nla;
|
|
|
|
|
|
|
|
|
|
nla = __nla_reserve(skb, attrtype, attrlen);
|
|
|
|
|
memcpy(nla_data(nla), data, attrlen);
|
|
|
|
|
}
|
2009-03-11 15:18:32 +00:00
|
|
|
EXPORT_SYMBOL(__nla_put);
|
2005-11-10 01:25:51 +00:00
|
|
|
|
2016-04-21 16:58:24 +00:00
|
|
|
/**
|
|
|
|
|
* __nla_put_64bit - Add a netlink attribute to a socket buffer and align it
|
|
|
|
|
* @skb: socket buffer to add attribute to
|
|
|
|
|
* @attrtype: attribute type
|
|
|
|
|
* @attrlen: length of attribute payload
|
|
|
|
|
* @data: head of attribute payload
|
2016-04-22 15:31:16 +00:00
|
|
|
* @padattr: attribute type for the padding
|
2016-04-21 16:58:24 +00:00
|
|
|
*
|
|
|
|
|
* The caller is responsible to ensure that the skb provides enough
|
|
|
|
|
* tailroom for the attribute header and payload.
|
|
|
|
|
*/
|
|
|
|
|
void __nla_put_64bit(struct sk_buff *skb, int attrtype, int attrlen,
|
|
|
|
|
const void *data, int padattr)
|
|
|
|
|
{
|
|
|
|
|
struct nlattr *nla;
|
|
|
|
|
|
|
|
|
|
nla = __nla_reserve_64bit(skb, attrtype, attrlen, padattr);
|
|
|
|
|
memcpy(nla_data(nla), data, attrlen);
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(__nla_put_64bit);
|
|
|
|
|
|
2006-08-05 06:03:05 +00:00
|
|
|
/**
|
|
|
|
|
* __nla_put_nohdr - Add a netlink attribute without header
|
|
|
|
|
* @skb: socket buffer to add attribute to
|
|
|
|
|
* @attrlen: length of attribute payload
|
|
|
|
|
* @data: head of attribute payload
|
|
|
|
|
*
|
|
|
|
|
* The caller is responsible to ensure that the skb provides enough
|
|
|
|
|
* tailroom for the attribute payload.
|
|
|
|
|
*/
|
|
|
|
|
void __nla_put_nohdr(struct sk_buff *skb, int attrlen, const void *data)
|
|
|
|
|
{
|
|
|
|
|
void *start;
|
|
|
|
|
|
|
|
|
|
start = __nla_reserve_nohdr(skb, attrlen);
|
|
|
|
|
memcpy(start, data, attrlen);
|
|
|
|
|
}
|
2009-03-11 15:18:32 +00:00
|
|
|
EXPORT_SYMBOL(__nla_put_nohdr);
|
2005-11-10 01:25:51 +00:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* nla_put - Add a netlink attribute to a socket buffer
|
|
|
|
|
* @skb: socket buffer to add attribute to
|
|
|
|
|
* @attrtype: attribute type
|
|
|
|
|
* @attrlen: length of attribute payload
|
|
|
|
|
* @data: head of attribute payload
|
|
|
|
|
*
|
2008-06-03 23:36:54 +00:00
|
|
|
* Returns -EMSGSIZE if the tailroom of the skb is insufficient to store
|
2005-11-10 01:25:51 +00:00
|
|
|
* the attribute header and payload.
|
|
|
|
|
*/
|
|
|
|
|
int nla_put(struct sk_buff *skb, int attrtype, int attrlen, const void *data)
|
|
|
|
|
{
|
|
|
|
|
if (unlikely(skb_tailroom(skb) < nla_total_size(attrlen)))
|
2008-06-03 23:36:54 +00:00
|
|
|
return -EMSGSIZE;
|
2005-11-10 01:25:51 +00:00
|
|
|
|
|
|
|
|
__nla_put(skb, attrtype, attrlen, data);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2009-03-11 15:18:32 +00:00
|
|
|
EXPORT_SYMBOL(nla_put);
|
2005-11-10 01:25:51 +00:00
|
|
|
|
2016-04-21 16:58:24 +00:00
|
|
|
/**
|
|
|
|
|
* nla_put_64bit - Add a netlink attribute to a socket buffer and align it
|
|
|
|
|
* @skb: socket buffer to add attribute to
|
|
|
|
|
* @attrtype: attribute type
|
|
|
|
|
* @attrlen: length of attribute payload
|
|
|
|
|
* @data: head of attribute payload
|
2016-04-22 15:31:16 +00:00
|
|
|
* @padattr: attribute type for the padding
|
2016-04-21 16:58:24 +00:00
|
|
|
*
|
|
|
|
|
* Returns -EMSGSIZE if the tailroom of the skb is insufficient to store
|
|
|
|
|
* the attribute header and payload.
|
|
|
|
|
*/
|
|
|
|
|
int nla_put_64bit(struct sk_buff *skb, int attrtype, int attrlen,
|
|
|
|
|
const void *data, int padattr)
|
|
|
|
|
{
|
|
|
|
|
size_t len;
|
|
|
|
|
|
|
|
|
|
if (nla_need_padding_for_64bit(skb))
|
|
|
|
|
len = nla_total_size_64bit(attrlen);
|
|
|
|
|
else
|
|
|
|
|
len = nla_total_size(attrlen);
|
|
|
|
|
if (unlikely(skb_tailroom(skb) < len))
|
|
|
|
|
return -EMSGSIZE;
|
|
|
|
|
|
|
|
|
|
__nla_put_64bit(skb, attrtype, attrlen, data, padattr);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(nla_put_64bit);
|
|
|
|
|
|
2006-08-05 06:03:05 +00:00
|
|
|
/**
|
|
|
|
|
* nla_put_nohdr - Add a netlink attribute without header
|
|
|
|
|
* @skb: socket buffer to add attribute to
|
|
|
|
|
* @attrlen: length of attribute payload
|
|
|
|
|
* @data: head of attribute payload
|
|
|
|
|
*
|
2008-06-03 23:36:54 +00:00
|
|
|
* Returns -EMSGSIZE if the tailroom of the skb is insufficient to store
|
2006-08-05 06:03:05 +00:00
|
|
|
* the attribute payload.
|
|
|
|
|
*/
|
|
|
|
|
int nla_put_nohdr(struct sk_buff *skb, int attrlen, const void *data)
|
|
|
|
|
{
|
|
|
|
|
if (unlikely(skb_tailroom(skb) < NLA_ALIGN(attrlen)))
|
2008-06-03 23:36:54 +00:00
|
|
|
return -EMSGSIZE;
|
2006-08-05 06:03:05 +00:00
|
|
|
|
|
|
|
|
__nla_put_nohdr(skb, attrlen, data);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2009-03-11 15:18:32 +00:00
|
|
|
EXPORT_SYMBOL(nla_put_nohdr);
|
2005-11-10 01:25:51 +00:00
|
|
|
|
2008-01-23 06:10:59 +00:00
|
|
|
/**
|
|
|
|
|
* nla_append - Add a netlink attribute without header or padding
|
|
|
|
|
* @skb: socket buffer to add attribute to
|
|
|
|
|
* @attrlen: length of attribute payload
|
|
|
|
|
* @data: head of attribute payload
|
|
|
|
|
*
|
2008-06-03 23:36:54 +00:00
|
|
|
* Returns -EMSGSIZE if the tailroom of the skb is insufficient to store
|
2008-01-23 06:10:59 +00:00
|
|
|
* the attribute payload.
|
|
|
|
|
*/
|
|
|
|
|
int nla_append(struct sk_buff *skb, int attrlen, const void *data)
|
|
|
|
|
{
|
|
|
|
|
if (unlikely(skb_tailroom(skb) < NLA_ALIGN(attrlen)))
|
2008-06-03 23:36:54 +00:00
|
|
|
return -EMSGSIZE;
|
2008-01-23 06:10:59 +00:00
|
|
|
|
networking: introduce and use skb_put_data()
A common pattern with skb_put() is to just want to memcpy()
some data into the new space, introduce skb_put_data() for
this.
An spatch similar to the one for skb_put_zero() converts many
of the places using it:
@@
identifier p, p2;
expression len, skb, data;
type t, t2;
@@
(
-p = skb_put(skb, len);
+p = skb_put_data(skb, data, len);
|
-p = (t)skb_put(skb, len);
+p = skb_put_data(skb, data, len);
)
(
p2 = (t2)p;
-memcpy(p2, data, len);
|
-memcpy(p, data, len);
)
@@
type t, t2;
identifier p, p2;
expression skb, data;
@@
t *p;
...
(
-p = skb_put(skb, sizeof(t));
+p = skb_put_data(skb, data, sizeof(t));
|
-p = (t *)skb_put(skb, sizeof(t));
+p = skb_put_data(skb, data, sizeof(t));
)
(
p2 = (t2)p;
-memcpy(p2, data, sizeof(*p));
|
-memcpy(p, data, sizeof(*p));
)
@@
expression skb, len, data;
@@
-memcpy(skb_put(skb, len), data, len);
+skb_put_data(skb, data, len);
(again, manually post-processed to retain some comments)
Reviewed-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:20 +00:00
|
|
|
skb_put_data(skb, data, attrlen);
|
2008-01-23 06:10:59 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
2009-03-11 15:18:32 +00:00
|
|
|
EXPORT_SYMBOL(nla_append);
|
|
|
|
|
#endif
|