]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blob - lib/nlattr.c
projects / mirror_ubuntu-artful-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
KEYS: fix out-of-bounds read during ASN.1 parsing
[mirror_ubuntu-artful-kernel.git] / lib / nlattr.c
1 /*
2 * NETLINK Netlink attributes
3 *
4 * Authors: Thomas Graf <tgraf@suug.ch>
5 * Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
6 */
7
8 #include <linux/export.h>
9 #include <linux/kernel.h>
10 #include <linux/errno.h>
11 #include <linux/jiffies.h>
12 #include <linux/skbuff.h>
13 #include <linux/string.h>
14 #include <linux/types.h>
15 #include <net/netlink.h>
16
17 static const u8 nla_attr_minlen[NLA_TYPE_MAX+1] = {
18 [NLA_U8] = sizeof(u8),
19 [NLA_U16] = sizeof(u16),
20 [NLA_U32] = sizeof(u32),
21 [NLA_U64] = sizeof(u64),
22 [NLA_MSECS] = sizeof(u64),
23 [NLA_NESTED] = NLA_HDRLEN,
24 [NLA_S8] = sizeof(s8),
25 [NLA_S16] = sizeof(s16),
26 [NLA_S32] = sizeof(s32),
27 [NLA_S64] = sizeof(s64),
28 };
29
30 static int validate_nla(const struct nlattr *nla, int maxtype,
31 const struct nla_policy *policy)
32 {
33 const struct nla_policy *pt;
34 int minlen = 0, attrlen = nla_len(nla), type = nla_type(nla);
35
36 if (type <= 0 || type > maxtype)
37 return 0;
38
39 pt = &policy[type];
40
41 BUG_ON(pt->type > NLA_TYPE_MAX);
42
43 switch (pt->type) {
44 case NLA_FLAG:
45 if (attrlen > 0)
46 return -ERANGE;
47 break;
48
49 case NLA_NUL_STRING:
50 if (pt->len)
51 minlen = min_t(int, attrlen, pt->len + 1);
52 else
53 minlen = attrlen;
54
55 if (!minlen || memchr(nla_data(nla), '\0', minlen) == NULL)
56 return -EINVAL;
57 /* fall through */
58
59 case NLA_STRING:
60 if (attrlen < 1)
61 return -ERANGE;
62
63 if (pt->len) {
64 char *buf = nla_data(nla);
65
66 if (buf[attrlen - 1] == '\0')
67 attrlen--;
68
69 if (attrlen > pt->len)
70 return -ERANGE;
71 }
72 break;
73
74 case NLA_BINARY:
75 if (pt->len && attrlen > pt->len)
76 return -ERANGE;
77 break;
78
79 case NLA_NESTED_COMPAT:
80 if (attrlen < pt->len)
81 return -ERANGE;
82 if (attrlen < NLA_ALIGN(pt->len))
83 break;
84 if (attrlen < NLA_ALIGN(pt->len) + NLA_HDRLEN)
85 return -ERANGE;
86 nla = nla_data(nla) + NLA_ALIGN(pt->len);
87 if (attrlen < NLA_ALIGN(pt->len) + NLA_HDRLEN + nla_len(nla))
88 return -ERANGE;
89 break;
90 case NLA_NESTED:
91 /* a nested attributes is allowed to be empty; if its not,
92 * it must have a size of at least NLA_HDRLEN.
93 */
94 if (attrlen == 0)
95 break;
96 default:
97 if (pt->len)
98 minlen = pt->len;
99 else if (pt->type != NLA_UNSPEC)
100 minlen = nla_attr_minlen[pt->type];
101
102 if (attrlen < minlen)
103 return -ERANGE;
104 }
105
106 return 0;
107 }
108
109 /**
110 * nla_validate - Validate a stream of attributes
111 * @head: head of attribute stream
112 * @len: length of attribute stream
113 * @maxtype: maximum attribute type to be expected
114 * @policy: validation policy
115 * @extack: extended ACK report struct
116 *
117 * Validates all attributes in the specified attribute stream against the
118 * specified policy. Attributes with a type exceeding maxtype will be
119 * ignored. See documenation of struct nla_policy for more details.
120 *
121 * Returns 0 on success or a negative error code.
122 */
123 int nla_validate(const struct nlattr *head, int len, int maxtype,
124 const struct nla_policy *policy,
125 struct netlink_ext_ack *extack)
126 {
127 const struct nlattr *nla;
128 int rem;
129
130 nla_for_each_attr(nla, head, len, rem) {
131 int err = validate_nla(nla, maxtype, policy);
132
133 if (err < 0) {
134 if (extack)
135 extack->bad_attr = nla;
136 return err;
137 }
138 }
139
140 return 0;
141 }
142 EXPORT_SYMBOL(nla_validate);
143
144 /**
145 * nla_policy_len - Determin the max. length of a policy
146 * @policy: policy to use
147 * @n: number of policies
148 *
149 * Determines the max. length of the policy. It is currently used
150 * to allocated Netlink buffers roughly the size of the actual
151 * message.
152 *
153 * Returns 0 on success or a negative error code.
154 */
155 int
156 nla_policy_len(const struct nla_policy *p, int n)
157 {
158 int i, len = 0;
159
160 for (i = 0; i < n; i++, p++) {
161 if (p->len)
162 len += nla_total_size(p->len);
163 else if (nla_attr_minlen[p->type])
164 len += nla_total_size(nla_attr_minlen[p->type]);
165 }
166
167 return len;
168 }
169 EXPORT_SYMBOL(nla_policy_len);
170
171 /**
172 * nla_parse - Parse a stream of attributes into a tb buffer
173 * @tb: destination array with maxtype+1 elements
174 * @maxtype: maximum attribute type to be expected
175 * @head: head of attribute stream
176 * @len: length of attribute stream
177 * @policy: validation policy
178 *
179 * Parses a stream of attributes and stores a pointer to each attribute in
180 * the tb array accessible via the attribute type. Attributes with a type
181 * exceeding maxtype will be silently ignored for backwards compatibility
182 * reasons. policy may be set to NULL if no validation is required.
183 *
184 * Returns 0 on success or a negative error code.
185 */
186 int nla_parse(struct nlattr **tb, int maxtype, const struct nlattr *head,
187 int len, const struct nla_policy *policy,
188 struct netlink_ext_ack *extack)
189 {
190 const struct nlattr *nla;
191 int rem, err;
192
193 memset(tb, 0, sizeof(struct nlattr *) * (maxtype + 1));
194
195 nla_for_each_attr(nla, head, len, rem) {
196 u16 type = nla_type(nla);
197
198 if (type > 0 && type <= maxtype) {
199 if (policy) {
200 err = validate_nla(nla, maxtype, policy);
201 if (err < 0) {
202 if (extack)
203 extack->bad_attr = nla;
204 goto errout;
205 }
206 }
207
208 tb[type] = (struct nlattr *)nla;
209 }
210 }
211
212 if (unlikely(rem > 0))
213 pr_warn_ratelimited("netlink: %d bytes leftover after parsing attributes in process `%s'.\n",
214 rem, current->comm);
215
216 err = 0;
217 errout:
218 return err;
219 }
220 EXPORT_SYMBOL(nla_parse);
221
222 /**
223 * nla_find - Find a specific attribute in a stream of attributes
224 * @head: head of attribute stream
225 * @len: length of attribute stream
226 * @attrtype: type of attribute to look for
227 *
228 * Returns the first attribute in the stream matching the specified type.
229 */
230 struct nlattr *nla_find(const struct nlattr *head, int len, int attrtype)
231 {
232 const struct nlattr *nla;
233 int rem;
234
235 nla_for_each_attr(nla, head, len, rem)
236 if (nla_type(nla) == attrtype)
237 return (struct nlattr *)nla;
238
239 return NULL;
240 }
241 EXPORT_SYMBOL(nla_find);
242
243 /**
244 * nla_strlcpy - Copy string attribute payload into a sized buffer
245 * @dst: where to copy the string to
246 * @nla: attribute to copy the string from
247 * @dstsize: size of destination buffer
248 *
249 * Copies at most dstsize - 1 bytes into the destination buffer.
250 * The result is always a valid NUL-terminated string. Unlike
251 * strlcpy the destination buffer is always padded out.
252 *
253 * Returns the length of the source buffer.
254 */
255 size_t nla_strlcpy(char *dst, const struct nlattr *nla, size_t dstsize)
256 {
257 size_t srclen = nla_len(nla);
258 char *src = nla_data(nla);
259
260 if (srclen > 0 && src[srclen - 1] == '\0')
261 srclen--;
262
263 if (dstsize > 0) {
264 size_t len = (srclen >= dstsize) ? dstsize - 1 : srclen;
265
266 memset(dst, 0, dstsize);
267 memcpy(dst, src, len);
268 }
269
270 return srclen;
271 }
272 EXPORT_SYMBOL(nla_strlcpy);
273
274 /**
275 * nla_memcpy - Copy a netlink attribute into another memory area
276 * @dest: where to copy to memcpy
277 * @src: netlink attribute to copy from
278 * @count: size of the destination area
279 *
280 * Note: The number of bytes copied is limited by the length of
281 * attribute's payload. memcpy
282 *
283 * Returns the number of bytes copied.
284 */
285 int nla_memcpy(void *dest, const struct nlattr *src, int count)
286 {
287 int minlen = min_t(int, count, nla_len(src));
288
289 memcpy(dest, nla_data(src), minlen);
290 if (count > minlen)
291 memset(dest + minlen, 0, count - minlen);
292
293 return minlen;
294 }
295 EXPORT_SYMBOL(nla_memcpy);
296
297 /**
298 * nla_memcmp - Compare an attribute with sized memory area
299 * @nla: netlink attribute
300 * @data: memory area
301 * @size: size of memory area
302 */
303 int nla_memcmp(const struct nlattr *nla, const void *data,
304 size_t size)
305 {
306 int d = nla_len(nla) - size;
307
308 if (d == 0)
309 d = memcmp(nla_data(nla), data, size);
310
311 return d;
312 }
313 EXPORT_SYMBOL(nla_memcmp);
314
315 /**
316 * nla_strcmp - Compare a string attribute against a string
317 * @nla: netlink string attribute
318 * @str: another string
319 */
320 int nla_strcmp(const struct nlattr *nla, const char *str)
321 {
322 int len = strlen(str);
323 char *buf = nla_data(nla);
324 int attrlen = nla_len(nla);
325 int d;
326
327 if (attrlen > 0 && buf[attrlen - 1] == '\0')
328 attrlen--;
329
330 d = attrlen - len;
331 if (d == 0)
332 d = memcmp(nla_data(nla), str, len);
333
334 return d;
335 }
336 EXPORT_SYMBOL(nla_strcmp);
337
338 #ifdef CONFIG_NET
339 /**
340 * __nla_reserve - reserve room for attribute on the skb
341 * @skb: socket buffer to reserve room on
342 * @attrtype: attribute type
343 * @attrlen: length of attribute payload
344 *
345 * Adds a netlink attribute header to a socket buffer and reserves
346 * room for the payload but does not copy it.
347 *
348 * The caller is responsible to ensure that the skb provides enough
349 * tailroom for the attribute header and payload.
350 */
351 struct nlattr *__nla_reserve(struct sk_buff *skb, int attrtype, int attrlen)
352 {
353 struct nlattr *nla;
354
355 nla = skb_put(skb, nla_total_size(attrlen));
356 nla->nla_type = attrtype;
357 nla->nla_len = nla_attr_size(attrlen);
358
359 memset((unsigned char *) nla + nla->nla_len, 0, nla_padlen(attrlen));
360
361 return nla;
362 }
363 EXPORT_SYMBOL(__nla_reserve);
364
365 /**
366 * __nla_reserve_64bit - reserve room for attribute on the skb and align it
367 * @skb: socket buffer to reserve room on
368 * @attrtype: attribute type
369 * @attrlen: length of attribute payload
370 * @padattr: attribute type for the padding
371 *
372 * Adds a netlink attribute header to a socket buffer and reserves
373 * room for the payload but does not copy it. It also ensure that this
374 * attribute will have a 64-bit aligned nla_data() area.
375 *
376 * The caller is responsible to ensure that the skb provides enough
377 * tailroom for the attribute header and payload.
378 */
379 struct nlattr *__nla_reserve_64bit(struct sk_buff *skb, int attrtype,
380 int attrlen, int padattr)
381 {
382 if (nla_need_padding_for_64bit(skb))
383 nla_align_64bit(skb, padattr);
384
385 return __nla_reserve(skb, attrtype, attrlen);
386 }
387 EXPORT_SYMBOL(__nla_reserve_64bit);
388
389 /**
390 * __nla_reserve_nohdr - reserve room for attribute without header
391 * @skb: socket buffer to reserve room on
392 * @attrlen: length of attribute payload
393 *
394 * Reserves room for attribute payload without a header.
395 *
396 * The caller is responsible to ensure that the skb provides enough
397 * tailroom for the payload.
398 */
399 void *__nla_reserve_nohdr(struct sk_buff *skb, int attrlen)
400 {
401 return skb_put_zero(skb, NLA_ALIGN(attrlen));
402 }
403 EXPORT_SYMBOL(__nla_reserve_nohdr);
404
405 /**
406 * nla_reserve - reserve room for attribute on the skb
407 * @skb: socket buffer to reserve room on
408 * @attrtype: attribute type
409 * @attrlen: length of attribute payload
410 *
411 * Adds a netlink attribute header to a socket buffer and reserves
412 * room for the payload but does not copy it.
413 *
414 * Returns NULL if the tailroom of the skb is insufficient to store
415 * the attribute header and payload.
416 */
417 struct nlattr *nla_reserve(struct sk_buff *skb, int attrtype, int attrlen)
418 {
419 if (unlikely(skb_tailroom(skb) < nla_total_size(attrlen)))
420 return NULL;
421
422 return __nla_reserve(skb, attrtype, attrlen);
423 }
424 EXPORT_SYMBOL(nla_reserve);
425
426 /**
427 * nla_reserve_64bit - reserve room for attribute on the skb and align it
428 * @skb: socket buffer to reserve room on
429 * @attrtype: attribute type
430 * @attrlen: length of attribute payload
431 * @padattr: attribute type for the padding
432 *
433 * Adds a netlink attribute header to a socket buffer and reserves
434 * room for the payload but does not copy it. It also ensure that this
435 * attribute will have a 64-bit aligned nla_data() area.
436 *
437 * Returns NULL if the tailroom of the skb is insufficient to store
438 * the attribute header and payload.
439 */
440 struct nlattr *nla_reserve_64bit(struct sk_buff *skb, int attrtype, int attrlen,
441 int padattr)
442 {
443 size_t len;
444
445 if (nla_need_padding_for_64bit(skb))
446 len = nla_total_size_64bit(attrlen);
447 else
448 len = nla_total_size(attrlen);
449 if (unlikely(skb_tailroom(skb) < len))
450 return NULL;
451
452 return __nla_reserve_64bit(skb, attrtype, attrlen, padattr);
453 }
454 EXPORT_SYMBOL(nla_reserve_64bit);
455
456 /**
457 * nla_reserve_nohdr - reserve room for attribute without header
458 * @skb: socket buffer to reserve room on
459 * @attrlen: length of attribute payload
460 *
461 * Reserves room for attribute payload without a header.
462 *
463 * Returns NULL if the tailroom of the skb is insufficient to store
464 * the attribute payload.
465 */
466 void *nla_reserve_nohdr(struct sk_buff *skb, int attrlen)
467 {
468 if (unlikely(skb_tailroom(skb) < NLA_ALIGN(attrlen)))
469 return NULL;
470
471 return __nla_reserve_nohdr(skb, attrlen);
472 }
473 EXPORT_SYMBOL(nla_reserve_nohdr);
474
475 /**
476 * __nla_put - Add a netlink attribute to a socket buffer
477 * @skb: socket buffer to add attribute to
478 * @attrtype: attribute type
479 * @attrlen: length of attribute payload
480 * @data: head of attribute payload
481 *
482 * The caller is responsible to ensure that the skb provides enough
483 * tailroom for the attribute header and payload.
484 */
485 void __nla_put(struct sk_buff *skb, int attrtype, int attrlen,
486 const void *data)
487 {
488 struct nlattr *nla;
489
490 nla = __nla_reserve(skb, attrtype, attrlen);
491 memcpy(nla_data(nla), data, attrlen);
492 }
493 EXPORT_SYMBOL(__nla_put);
494
495 /**
496 * __nla_put_64bit - Add a netlink attribute to a socket buffer and align it
497 * @skb: socket buffer to add attribute to
498 * @attrtype: attribute type
499 * @attrlen: length of attribute payload
500 * @data: head of attribute payload
501 * @padattr: attribute type for the padding
502 *
503 * The caller is responsible to ensure that the skb provides enough
504 * tailroom for the attribute header and payload.
505 */
506 void __nla_put_64bit(struct sk_buff *skb, int attrtype, int attrlen,
507 const void *data, int padattr)
508 {
509 struct nlattr *nla;
510
511 nla = __nla_reserve_64bit(skb, attrtype, attrlen, padattr);
512 memcpy(nla_data(nla), data, attrlen);
513 }
514 EXPORT_SYMBOL(__nla_put_64bit);
515
516 /**
517 * __nla_put_nohdr - Add a netlink attribute without header
518 * @skb: socket buffer to add attribute to
519 * @attrlen: length of attribute payload
520 * @data: head of attribute payload
521 *
522 * The caller is responsible to ensure that the skb provides enough
523 * tailroom for the attribute payload.
524 */
525 void __nla_put_nohdr(struct sk_buff *skb, int attrlen, const void *data)
526 {
527 void *start;
528
529 start = __nla_reserve_nohdr(skb, attrlen);
530 memcpy(start, data, attrlen);
531 }
532 EXPORT_SYMBOL(__nla_put_nohdr);
533
534 /**
535 * nla_put - Add a netlink attribute to a socket buffer
536 * @skb: socket buffer to add attribute to
537 * @attrtype: attribute type
538 * @attrlen: length of attribute payload
539 * @data: head of attribute payload
540 *
541 * Returns -EMSGSIZE if the tailroom of the skb is insufficient to store
542 * the attribute header and payload.
543 */
544 int nla_put(struct sk_buff *skb, int attrtype, int attrlen, const void *data)
545 {
546 if (unlikely(skb_tailroom(skb) < nla_total_size(attrlen)))
547 return -EMSGSIZE;
548
549 __nla_put(skb, attrtype, attrlen, data);
550 return 0;
551 }
552 EXPORT_SYMBOL(nla_put);
553
554 /**
555 * nla_put_64bit - Add a netlink attribute to a socket buffer and align it
556 * @skb: socket buffer to add attribute to
557 * @attrtype: attribute type
558 * @attrlen: length of attribute payload
559 * @data: head of attribute payload
560 * @padattr: attribute type for the padding
561 *
562 * Returns -EMSGSIZE if the tailroom of the skb is insufficient to store
563 * the attribute header and payload.
564 */
565 int nla_put_64bit(struct sk_buff *skb, int attrtype, int attrlen,
566 const void *data, int padattr)
567 {
568 size_t len;
569
570 if (nla_need_padding_for_64bit(skb))
571 len = nla_total_size_64bit(attrlen);
572 else
573 len = nla_total_size(attrlen);
574 if (unlikely(skb_tailroom(skb) < len))
575 return -EMSGSIZE;
576
577 __nla_put_64bit(skb, attrtype, attrlen, data, padattr);
578 return 0;
579 }
580 EXPORT_SYMBOL(nla_put_64bit);
581
582 /**
583 * nla_put_nohdr - Add a netlink attribute without header
584 * @skb: socket buffer to add attribute to
585 * @attrlen: length of attribute payload
586 * @data: head of attribute payload
587 *
588 * Returns -EMSGSIZE if the tailroom of the skb is insufficient to store
589 * the attribute payload.
590 */
591 int nla_put_nohdr(struct sk_buff *skb, int attrlen, const void *data)
592 {
593 if (unlikely(skb_tailroom(skb) < NLA_ALIGN(attrlen)))
594 return -EMSGSIZE;
595
596 __nla_put_nohdr(skb, attrlen, data);
597 return 0;
598 }
599 EXPORT_SYMBOL(nla_put_nohdr);
600
601 /**
602 * nla_append - Add a netlink attribute without header or padding
603 * @skb: socket buffer to add attribute to
604 * @attrlen: length of attribute payload
605 * @data: head of attribute payload
606 *
607 * Returns -EMSGSIZE if the tailroom of the skb is insufficient to store
608 * the attribute payload.
609 */
610 int nla_append(struct sk_buff *skb, int attrlen, const void *data)
611 {
612 if (unlikely(skb_tailroom(skb) < NLA_ALIGN(attrlen)))
613 return -EMSGSIZE;
614
615 skb_put_data(skb, data, attrlen);
616 return 0;
617 }
618 EXPORT_SYMBOL(nla_append);
619 #endif
Ubuntu Artful kernel mirror