tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'nf-next-23-08-22' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next

Florian Westphal says:

====================
netfilter updates for net-next

First patch resolves a fortify warning by wrapping the to-be-copied
members via struct_group.

Second patch replaces array[0] with array[] in ebtables uapi.
Both changes from GONG Ruiqi.

The largest chunk is replacement of strncpy with strscpy_pad()
in netfilter, from Justin Stitt.

Last patch, from myself, aborts ruleset validation if a fatal
signal is pending, this speeds up process exit.

* tag 'nf-next-23-08-22' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next:
netfilter: nf_tables: allow loop termination for pending fatal signal
netfilter: xtables: refactor deprecated strncpy
netfilter: x_tables: refactor deprecated strncpy
netfilter: nft_meta: refactor deprecated strncpy
netfilter: nft_osf: refactor deprecated strncpy
netfilter: nf_tables: refactor deprecated strncpy
netfilter: nf_tables: refactor deprecated strncpy
netfilter: ipset: refactor deprecated strncpy
netfilter: ebtables: replace zero-length array members
netfilter: ebtables: fix fortify warnings in size_entry_mwt()
====================

Link: https://lore.kernel.org/r/20230822154336.12888-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Jakub Kicinski 6176b8c4 978f4175

+35 -29
+12 -10
include/uapi/linux/netfilter_bridge/ebtables.h
··· 87 87 /* nr. of entries */ 88 88 unsigned int nentries; 89 89 /* entry list */ 90 - char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); 90 + char data[] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); 91 91 }; 92 92 93 93 /* used for the bitmask of struct ebt_entry */ ··· 129 129 } u; 130 130 /* size of data */ 131 131 unsigned int match_size; 132 - unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); 132 + unsigned char data[] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); 133 133 }; 134 134 135 135 struct ebt_entry_watcher { ··· 142 142 } u; 143 143 /* size of data */ 144 144 unsigned int watcher_size; 145 - unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); 145 + unsigned char data[] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); 146 146 }; 147 147 148 148 struct ebt_entry_target { ··· 182 182 unsigned char sourcemsk[ETH_ALEN]; 183 183 unsigned char destmac[ETH_ALEN]; 184 184 unsigned char destmsk[ETH_ALEN]; 185 - /* sizeof ebt_entry + matches */ 186 - unsigned int watchers_offset; 187 - /* sizeof ebt_entry + matches + watchers */ 188 - unsigned int target_offset; 189 - /* sizeof ebt_entry + matches + watchers + target */ 190 - unsigned int next_offset; 191 - unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); 185 + __struct_group(/* no tag */, offsets, /* no attrs */, 186 + /* sizeof ebt_entry + matches */ 187 + unsigned int watchers_offset; 188 + /* sizeof ebt_entry + matches + watchers */ 189 + unsigned int target_offset; 190 + /* sizeof ebt_entry + matches + watchers + target */ 191 + unsigned int next_offset; 192 + ); 193 + unsigned char elems[] __attribute__ ((aligned (__alignof__(struct ebt_replace)))); 192 194 }; 193 195 194 196 static __inline__ struct ebt_entry_target *
+1 -2
net/bridge/netfilter/ebtables.c
··· 2115 2115 return ret; 2116 2116 2117 2117 offsets[0] = sizeof(struct ebt_entry); /* matches come first */ 2118 - memcpy(&offsets[1], &entry->watchers_offset, 2119 - sizeof(offsets) - sizeof(offsets[0])); 2118 + memcpy(&offsets[1], &entry->offsets, sizeof(entry->offsets)); 2120 2119 2121 2120 if (state->buf_kern_start) { 2122 2121 buf_start = state->buf_kern_start + state->buf_kern_offset;
+5 -5
net/netfilter/ipset/ip_set_core.c
··· 872 872 BUG_ON(!set); 873 873 874 874 read_lock_bh(&ip_set_ref_lock); 875 - strncpy(name, set->name, IPSET_MAXNAMELEN); 875 + strscpy_pad(name, set->name, IPSET_MAXNAMELEN); 876 876 read_unlock_bh(&ip_set_ref_lock); 877 877 } 878 878 EXPORT_SYMBOL_GPL(ip_set_name_byindex); ··· 1326 1326 goto out; 1327 1327 } 1328 1328 } 1329 - strncpy(set->name, name2, IPSET_MAXNAMELEN); 1329 + strscpy_pad(set->name, name2, IPSET_MAXNAMELEN); 1330 1330 1331 1331 out: 1332 1332 write_unlock_bh(&ip_set_ref_lock); ··· 1380 1380 return -EBUSY; 1381 1381 } 1382 1382 1383 - strncpy(from_name, from->name, IPSET_MAXNAMELEN); 1384 - strncpy(from->name, to->name, IPSET_MAXNAMELEN); 1385 - strncpy(to->name, from_name, IPSET_MAXNAMELEN); 1383 + strscpy_pad(from_name, from->name, IPSET_MAXNAMELEN); 1384 + strscpy_pad(from->name, to->name, IPSET_MAXNAMELEN); 1385 + strscpy_pad(to->name, from_name, IPSET_MAXNAMELEN); 1386 1386 1387 1387 swap(from->ref, to->ref); 1388 1388 ip_set(inst, from_id) = to;
+6
net/netfilter/nf_tables_api.c
··· 3675 3675 return -EMLINK; 3676 3676 3677 3677 list_for_each_entry(rule, &chain->rules, list) { 3678 + if (fatal_signal_pending(current)) 3679 + return -EINTR; 3680 + 3678 3681 if (!nft_is_active_next(ctx->net, rule)) 3679 3682 continue; 3680 3683 ··· 10481 10478 10482 10479 if (ctx->chain == chain) 10483 10480 return -ELOOP; 10481 + 10482 + if (fatal_signal_pending(current)) 10483 + return -EINTR; 10484 10484 10485 10485 list_for_each_entry(rule, &chain->rules, list) { 10486 10486 nft_rule_for_each_expr(expr, last, rule) {
+1 -1
net/netfilter/nft_ct.c
··· 108 108 helper = rcu_dereference(help->helper); 109 109 if (helper == NULL) 110 110 goto err; 111 - strncpy((char *)dest, helper->name, NF_CT_HELPER_NAME_LEN); 111 + strscpy_pad((char *)dest, helper->name, NF_CT_HELPER_NAME_LEN); 112 112 return; 113 113 #ifdef CONFIG_NF_CONNTRACK_LABELS 114 114 case NFT_CT_LABELS: {
+1 -1
net/netfilter/nft_fib.c
··· 151 151 if (priv->flags & NFTA_FIB_F_PRESENT) 152 152 *dreg = !!dev; 153 153 else 154 - strncpy(reg, dev ? dev->name : "", IFNAMSIZ); 154 + strscpy_pad(reg, dev ? dev->name : "", IFNAMSIZ); 155 155 break; 156 156 default: 157 157 WARN_ON_ONCE(1);
+3 -3
net/netfilter/nft_meta.c
··· 185 185 case NFT_META_IIFKIND: 186 186 if (!in || !in->rtnl_link_ops) 187 187 return false; 188 - strncpy((char *)dest, in->rtnl_link_ops->kind, IFNAMSIZ); 188 + strscpy_pad((char *)dest, in->rtnl_link_ops->kind, IFNAMSIZ); 189 189 break; 190 190 case NFT_META_OIFKIND: 191 191 if (!out || !out->rtnl_link_ops) 192 192 return false; 193 - strncpy((char *)dest, out->rtnl_link_ops->kind, IFNAMSIZ); 193 + strscpy_pad((char *)dest, out->rtnl_link_ops->kind, IFNAMSIZ); 194 194 break; 195 195 default: 196 196 return false; ··· 206 206 207 207 static void nft_meta_store_ifname(u32 *dest, const struct net_device *dev) 208 208 { 209 - strncpy((char *)dest, dev ? dev->name : "", IFNAMSIZ); 209 + strscpy_pad((char *)dest, dev ? dev->name : "", IFNAMSIZ); 210 210 } 211 211 212 212 static bool nft_meta_store_iftype(u32 *dest, const struct net_device *dev)
+3 -3
net/netfilter/nft_osf.c
··· 23 23 struct nft_osf *priv = nft_expr_priv(expr); 24 24 u32 *dest = &regs->data[priv->dreg]; 25 25 struct sk_buff *skb = pkt->skb; 26 - char os_match[NFT_OSF_MAXGENRELEN + 1]; 26 + char os_match[NFT_OSF_MAXGENRELEN]; 27 27 const struct tcphdr *tcp; 28 28 struct nf_osf_data data; 29 29 struct tcphdr _tcph; ··· 45 45 } 46 46 47 47 if (!nf_osf_find(skb, nf_osf_fingers, priv->ttl, &data)) { 48 - strncpy((char *)dest, "unknown", NFT_OSF_MAXGENRELEN); 48 + strscpy_pad((char *)dest, "unknown", NFT_OSF_MAXGENRELEN); 49 49 } else { 50 50 if (priv->flags & NFT_OSF_F_VERSION) 51 51 snprintf(os_match, NFT_OSF_MAXGENRELEN, "%s:%s", ··· 53 53 else 54 54 strscpy(os_match, data.genre, NFT_OSF_MAXGENRELEN); 55 55 56 - strncpy((char *)dest, os_match, NFT_OSF_MAXGENRELEN); 56 + strscpy_pad((char *)dest, os_match, NFT_OSF_MAXGENRELEN); 57 57 } 58 58 } 59 59
+2 -3
net/netfilter/x_tables.c
··· 768 768 m->u.user.match_size = msize; 769 769 strscpy(name, match->name, sizeof(name)); 770 770 module_put(match->me); 771 - strncpy(m->u.user.name, name, sizeof(m->u.user.name)); 771 + strscpy_pad(m->u.user.name, name, sizeof(m->u.user.name)); 772 772 773 773 *size += off; 774 774 *dstptr += msize; ··· 1148 1148 t->u.user.target_size = tsize; 1149 1149 strscpy(name, target->name, sizeof(name)); 1150 1150 module_put(target->me); 1151 - strncpy(t->u.user.name, name, sizeof(t->u.user.name)); 1151 + strscpy_pad(t->u.user.name, name, sizeof(t->u.user.name)); 1152 1152 1153 1153 *size += off; 1154 1154 *dstptr += tsize; ··· 2014 2014 2015 2015 module_init(xt_init); 2016 2016 module_exit(xt_fini); 2017 -
+1 -1
net/netfilter/xt_repldata.h
··· 29 29 if (tbl == NULL) \ 30 30 return NULL; \ 31 31 term = (struct type##_error *)&(((char *)tbl)[term_offset]); \ 32 - strncpy(tbl->repl.name, info->name, sizeof(tbl->repl.name)); \ 32 + strscpy_pad(tbl->repl.name, info->name, sizeof(tbl->repl.name)); \ 33 33 *term = (struct type##_error)typ2##_ERROR_INIT; \ 34 34 tbl->repl.valid_hooks = hook_mask; \ 35 35 tbl->repl.num_entries = nhooks + 1; \