Re: [PATCH nft] parser: Check commentaries length

Mon, 30 May 2016 08:58:25 -0700 

On Mon, May 30, 2016 at 05:41:00PM +0200, Carlos Falgueras García wrote:
> Checks the commentary maximum length and reports to user in case of error.
> 
> The commentary rule of the parser was simplified in order to centralize the
> length checking.
> 
> Signed-off-by: Carlos Falgueras García <carlo...@riseup.net>
> ---
>  include/parser.h   |  6 ++++++
>  src/parser_bison.y | 31 ++++++++++++++++++++-----------
>  2 files changed, 26 insertions(+), 11 deletions(-)
> 
> diff --git a/include/parser.h b/include/parser.h
> index 92beab2..f48fcfd 100644
> --- a/include/parser.h
> +++ b/include/parser.h
> @@ -13,6 +13,12 @@
>  
>  #define SCOPE_NEST_MAX                       3
>  
> +/*
> + * This maximum is set to 32 bytes in order to keep the coherence with others
> + * string length in nft objects
> + */
> +#define MAX_COMM_LEN                 32

Please, define this in rule.h together with the UDATA_* definitions.

This limitation has to do with the userdata area, so better if this
naming remember us why we have this restriction.

And bump it to 128 characters I'd suggest. This is half of what we
support in x_tables comment match, but better be conservative and wait
for users asking for longer descriptions.

>  struct parser_state {
>       struct input_descriptor         *indesc;
>       struct input_descriptor         indescs[MAX_INCLUDE_DEPTH];
> diff --git a/src/parser_bison.y b/src/parser_bison.y
> index 0452b8f..c159684 100644
> --- a/src/parser_bison.y
> +++ b/src/parser_bison.y
> @@ -440,7 +440,7 @@ static void location_update(struct location *loc, struct 
> location *rhs, int n)
>  %destructor { close_scope(state); table_free($$); }  table_block_alloc
>  %type <chain>                        chain_block_alloc chain_block
>  %destructor { close_scope(state); chain_free($$); }  chain_block_alloc
> -%type <rule>                 rule
> +%type <rule>                 rule rule_alloc
>  %destructor { rule_free($$); }       rule
>  
>  %type <val>                  set_flag_list   set_flag
> @@ -1271,12 +1271,13 @@ ruleid_spec           :       chain_spec      
> handle_spec     position_spec
>                       }
>                       ;
>  
> -comment_spec         :       /* empty */
> -                     {
> -                             $$ = NULL;
> -                     }
> -                     |       COMMENT         string
> +comment_spec         :       COMMENT         string
>                       {
> +                             if (strlen($2) > MAX_COMM_LEN) {
> +                                     erec_queue(error(&@2, "Comment too 
> long.  %d character maximun allowed", MAX_COMM_LEN),
> +                                                state->msgs);
> +                                     YYERROR;
> +                             }
>                               $$ = $2;
>                       }
>                       ;
> @@ -1293,18 +1294,26 @@ ruleset_spec          :       /* empty */
>                       }
>                       ;
>  
> -rule                 :       stmt_list       comment_spec
> +rule                 :       rule_alloc
> +                     {
> +                             $$->comment = NULL;
> +                     }
> +                     |       rule_alloc      comment_spec
> +                     {
> +                             $$->comment = $2;
> +                     }
> +                     ;
> +

This should happpen in a separated patch.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to