netfilter: nf_tables: limit allowed range via nla_policy

These NLA_U32 types get stored in u8 fields, reject invalid values
instead of silently casting to u8.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nft_bitwise.c b/net/netfilter/nft_bitwise.c
index 84eae7cabc67a6a4c26b3994ba902d65c328a7c6..14e3c44ef95933c1e2d5bd27b3bd9e31823530ac 100644 (file)
--- a/net/netfilter/nft_bitwise.c
+++ b/net/netfilter/nft_bitwise.c
@@ -86,7 +86,7 @@ static const struct nla_policy nft_bitwise_policy[NFTA_BITWISE_MAX + 1] = {
        [NFTA_BITWISE_LEN]      = { .type = NLA_U32 },
        [NFTA_BITWISE_MASK]     = { .type = NLA_NESTED },
        [NFTA_BITWISE_XOR]      = { .type = NLA_NESTED },
-       [NFTA_BITWISE_OP]       = { .type = NLA_U32 },
+       [NFTA_BITWISE_OP]       = NLA_POLICY_MAX(NLA_BE32, 255),
        [NFTA_BITWISE_DATA]     = { .type = NLA_NESTED },
 };
 

diff --git a/net/netfilter/nft_byteorder.c b/net/netfilter/nft_byteorder.c
index b66647a5a17175941ad3d7c28f4259534a822d61..9a85e797ed58bee9fa2e378a1f876f5cbf45d4ae 100644 (file)
--- a/net/netfilter/nft_byteorder.c
+++ b/net/netfilter/nft_byteorder.c
@@ -88,9 +88,9 @@ void nft_byteorder_eval(const struct nft_expr *expr,
 static const struct nla_policy nft_byteorder_policy[NFTA_BYTEORDER_MAX + 1] = {
        [NFTA_BYTEORDER_SREG]   = { .type = NLA_U32 },
        [NFTA_BYTEORDER_DREG]   = { .type = NLA_U32 },
-       [NFTA_BYTEORDER_OP]     = { .type = NLA_U32 },
-       [NFTA_BYTEORDER_LEN]    = { .type = NLA_U32 },
-       [NFTA_BYTEORDER_SIZE]   = { .type = NLA_U32 },
+       [NFTA_BYTEORDER_OP]     = NLA_POLICY_MAX(NLA_BE32, 255),
+       [NFTA_BYTEORDER_LEN]    = NLA_POLICY_MAX(NLA_BE32, 255),
+       [NFTA_BYTEORDER_SIZE]   = NLA_POLICY_MAX(NLA_BE32, 255),
 };
 
 static int nft_byteorder_init(const struct nft_ctx *ctx,

diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index b9c84499438b01e4d0b2ab0476205bfb7c7c3a39..38958e067aa8a872512879526ea9a03c337f8010 100644 (file)
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -332,7 +332,7 @@ static void nft_ct_set_eval(const struct nft_expr *expr,
 
 static const struct nla_policy nft_ct_policy[NFTA_CT_MAX + 1] = {
        [NFTA_CT_DREG]          = { .type = NLA_U32 },
-       [NFTA_CT_KEY]           = { .type = NLA_U32 },
+       [NFTA_CT_KEY]           = NLA_POLICY_MAX(NLA_BE32, 255),
        [NFTA_CT_DIRECTION]     = { .type = NLA_U8 },
        [NFTA_CT_SREG]          = { .type = NLA_U32 },
 };

diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
index bd19c7aec92ee7ca47dc0c9024bd33b82027c5a7..4fb34d76dbeaffa93629b8147e5a4750dd31ead5 100644 (file)
--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -148,7 +148,7 @@ static const struct nla_policy nft_dynset_policy[NFTA_DYNSET_MAX + 1] = {
        [NFTA_DYNSET_SET_NAME]  = { .type = NLA_STRING,
                                    .len = NFT_SET_MAXNAMELEN - 1 },
        [NFTA_DYNSET_SET_ID]    = { .type = NLA_U32 },
-       [NFTA_DYNSET_OP]        = { .type = NLA_U32 },
+       [NFTA_DYNSET_OP]        = NLA_POLICY_MAX(NLA_BE32, 255),
        [NFTA_DYNSET_SREG_KEY]  = { .type = NLA_U32 },
        [NFTA_DYNSET_SREG_DATA] = { .type = NLA_U32 },
        [NFTA_DYNSET_TIMEOUT]   = { .type = NLA_U64 },

diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
index 671474e5981781b20eeec02084c47f6ad2dd146e..7f856ceb3a668268205882643b39f56aa2588f97 100644 (file)
--- a/net/netfilter/nft_exthdr.c
+++ b/net/netfilter/nft_exthdr.c
@@ -487,9 +487,9 @@ static const struct nla_policy nft_exthdr_policy[NFTA_EXTHDR_MAX + 1] = {
        [NFTA_EXTHDR_DREG]              = { .type = NLA_U32 },
        [NFTA_EXTHDR_TYPE]              = { .type = NLA_U8 },
        [NFTA_EXTHDR_OFFSET]            = { .type = NLA_U32 },
-       [NFTA_EXTHDR_LEN]               = { .type = NLA_U32 },
+       [NFTA_EXTHDR_LEN]               = NLA_POLICY_MAX(NLA_BE32, 255),
        [NFTA_EXTHDR_FLAGS]             = { .type = NLA_U32 },
-       [NFTA_EXTHDR_OP]                = { .type = NLA_U32 },
+       [NFTA_EXTHDR_OP]                = NLA_POLICY_MAX(NLA_BE32, 255),
        [NFTA_EXTHDR_SREG]              = { .type = NLA_U32 },
 };
 

diff --git a/net/netfilter/nft_fwd_netdev.c b/net/netfilter/nft_fwd_netdev.c
index 7b9d4d1bd17c8b351d2dc3d4b56295ecd40b2512..a5268e6dd32f1bbb1aa72525afbea5793544aec4 100644 (file)
--- a/net/netfilter/nft_fwd_netdev.c
+++ b/net/netfilter/nft_fwd_netdev.c
@@ -40,7 +40,7 @@ static void nft_fwd_netdev_eval(const struct nft_expr *expr,
 static const struct nla_policy nft_fwd_netdev_policy[NFTA_FWD_MAX + 1] = {
        [NFTA_FWD_SREG_DEV]     = { .type = NLA_U32 },
        [NFTA_FWD_SREG_ADDR]    = { .type = NLA_U32 },
-       [NFTA_FWD_NFPROTO]      = { .type = NLA_U32 },
+       [NFTA_FWD_NFPROTO]      = NLA_POLICY_MAX(NLA_BE32, 255),
 };
 
 static int nft_fwd_netdev_init(const struct nft_ctx *ctx,

diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c
index ee8d487b69c0d743b80d279295cfb58517a1a5cc..92d47e4692046ddb5febcd199c9684fc8dec4a28 100644 (file)
--- a/net/netfilter/nft_hash.c
+++ b/net/netfilter/nft_hash.c
@@ -59,7 +59,7 @@ static void nft_symhash_eval(const struct nft_expr *expr,
 static const struct nla_policy nft_hash_policy[NFTA_HASH_MAX + 1] = {
        [NFTA_HASH_SREG]        = { .type = NLA_U32 },
        [NFTA_HASH_DREG]        = { .type = NLA_U32 },
-       [NFTA_HASH_LEN]         = { .type = NLA_U32 },
+       [NFTA_HASH_LEN]         = NLA_POLICY_MAX(NLA_BE32, 255),
        [NFTA_HASH_MODULUS]     = { .type = NLA_U32 },
        [NFTA_HASH_SEED]        = { .type = NLA_U32 },
        [NFTA_HASH_OFFSET]      = { .type = NLA_U32 },

diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index e384e0de7a54dba81c6ad4854c3f04bb8e36206f..8fdc7318c03c7ff5757de5e7543d640f9f2020b5 100644 (file)
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -458,7 +458,7 @@ EXPORT_SYMBOL_GPL(nft_meta_set_eval);
 
 const struct nla_policy nft_meta_policy[NFTA_META_MAX + 1] = {
        [NFTA_META_DREG]        = { .type = NLA_U32 },
-       [NFTA_META_KEY]         = { .type = NLA_U32 },
+       [NFTA_META_KEY]         = NLA_POLICY_MAX(NLA_BE32, 255),
        [NFTA_META_SREG]        = { .type = NLA_U32 },
 };
 EXPORT_SYMBOL_GPL(nft_meta_policy);

diff --git a/net/netfilter/nft_range.c b/net/netfilter/nft_range.c
index 0566d6aaf1e5af4b46831271f23e2c93186fa350..51ae64cd268f43f626b35ba958c7bb8b9600ed20 100644 (file)
--- a/net/netfilter/nft_range.c
+++ b/net/netfilter/nft_range.c
@@ -42,7 +42,7 @@ void nft_range_eval(const struct nft_expr *expr,
 
 static const struct nla_policy nft_range_policy[NFTA_RANGE_MAX + 1] = {
        [NFTA_RANGE_SREG]               = { .type = NLA_U32 },
-       [NFTA_RANGE_OP]                 = { .type = NLA_U32 },
+       [NFTA_RANGE_OP]                 = NLA_POLICY_MAX(NLA_BE32, 255),
        [NFTA_RANGE_FROM_DATA]          = { .type = NLA_NESTED },
        [NFTA_RANGE_TO_DATA]            = { .type = NLA_NESTED },
 };

diff --git a/net/netfilter/nft_reject.c b/net/netfilter/nft_reject.c
index f2addc844dd2d2f1c486e0fdbd4c3fd6b7f88e17..ed2e668474d677b30183f914b41f04351d62be00 100644 (file)
--- a/net/netfilter/nft_reject.c
+++ b/net/netfilter/nft_reject.c
@@ -18,7 +18,7 @@
 #include <linux/icmpv6.h>
 
 const struct nla_policy nft_reject_policy[NFTA_REJECT_MAX + 1] = {
-       [NFTA_REJECT_TYPE]              = { .type = NLA_U32 },
+       [NFTA_REJECT_TYPE]              = NLA_POLICY_MAX(NLA_BE32, 255),
        [NFTA_REJECT_ICMP_CODE]         = { .type = NLA_U8 },
 };
 EXPORT_SYMBOL_GPL(nft_reject_policy);

diff --git a/net/netfilter/nft_rt.c b/net/netfilter/nft_rt.c
index 5990fdd7b3cc3981f8305d88b716dd318ae18998..35a2c28caa60bb6d50da5febbf5a6d2be7c9bdd9 100644 (file)
--- a/net/netfilter/nft_rt.c
+++ b/net/netfilter/nft_rt.c
@@ -104,7 +104,7 @@ err:
 
 static const struct nla_policy nft_rt_policy[NFTA_RT_MAX + 1] = {
        [NFTA_RT_DREG]          = { .type = NLA_U32 },
-       [NFTA_RT_KEY]           = { .type = NLA_U32 },
+       [NFTA_RT_KEY]           = NLA_POLICY_MAX(NLA_BE32, 255),
 };
 
 static int nft_rt_get_init(const struct nft_ctx *ctx,

diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c
index 85f8df87efdaa22687ad5e4a7d281f901add29ba..84def74698b78b77bd95dead1b3ee68d48521d45 100644 (file)
--- a/net/netfilter/nft_socket.c
+++ b/net/netfilter/nft_socket.c
@@ -138,9 +138,9 @@ static void nft_socket_eval(const struct nft_expr *expr,
 }
 
 static const struct nla_policy nft_socket_policy[NFTA_SOCKET_MAX + 1] = {
-       [NFTA_SOCKET_KEY]               = { .type = NLA_U32 },
+       [NFTA_SOCKET_KEY]               = NLA_POLICY_MAX(NLA_BE32, 255),
        [NFTA_SOCKET_DREG]              = { .type = NLA_U32 },
-       [NFTA_SOCKET_LEVEL]             = { .type = NLA_U32 },
+       [NFTA_SOCKET_LEVEL]             = NLA_POLICY_MAX(NLA_BE32, 255),
 };
 
 static int nft_socket_init(const struct nft_ctx *ctx,

diff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c
index ea83f661417e49d4f42ac59314d62fce68d7a19e..ae15cd693f0ec2857215c1daa7e633af222de423 100644 (file)
--- a/net/netfilter/nft_tproxy.c
+++ b/net/netfilter/nft_tproxy.c
@@ -183,7 +183,7 @@ static void nft_tproxy_eval(const struct nft_expr *expr,
 }
 
 static const struct nla_policy nft_tproxy_policy[NFTA_TPROXY_MAX + 1] = {
-       [NFTA_TPROXY_FAMILY]   = { .type = NLA_U32 },
+       [NFTA_TPROXY_FAMILY]   = NLA_POLICY_MAX(NLA_BE32, 255),
        [NFTA_TPROXY_REG_ADDR] = { .type = NLA_U32 },
        [NFTA_TPROXY_REG_PORT] = { .type = NLA_U32 },
 };

diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index b059aa54179860944c6da16afc92bcd2a3109bdb..9f21953c7433ff942caba909a8c8673baa3e003c 100644 (file)
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -66,9 +66,9 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
 }
 
 static const struct nla_policy nft_tunnel_policy[NFTA_TUNNEL_MAX + 1] = {
-       [NFTA_TUNNEL_KEY]       = { .type = NLA_U32 },
+       [NFTA_TUNNEL_KEY]       = NLA_POLICY_MAX(NLA_BE32, 255),
        [NFTA_TUNNEL_DREG]      = { .type = NLA_U32 },
-       [NFTA_TUNNEL_MODE]      = { .type = NLA_U32 },
+       [NFTA_TUNNEL_MODE]      = NLA_POLICY_MAX(NLA_BE32, 255),
 };
 
 static int nft_tunnel_get_init(const struct nft_ctx *ctx,

diff --git a/net/netfilter/nft_xfrm.c b/net/netfilter/nft_xfrm.c
index c88fd078a9ae5d8166dd4deeeb75d0050754034d..452f8587addadce5a2e1f480d5685eb70c5760b0 100644 (file)
--- a/net/netfilter/nft_xfrm.c
+++ b/net/netfilter/nft_xfrm.c
@@ -16,9 +16,9 @@
 #include <net/xfrm.h>
 
 static const struct nla_policy nft_xfrm_policy[NFTA_XFRM_MAX + 1] = {
-       [NFTA_XFRM_KEY]         = { .type = NLA_U32 },
+       [NFTA_XFRM_KEY]         = NLA_POLICY_MAX(NLA_BE32, 255),
        [NFTA_XFRM_DIR]         = { .type = NLA_U8 },
-       [NFTA_XFRM_SPNUM]       = { .type = NLA_U32 },
+       [NFTA_XFRM_SPNUM]       = NLA_POLICY_MAX(NLA_BE32, 255),
        [NFTA_XFRM_DREG]        = { .type = NLA_U32 },
 };