[PATCH nf] netfilter: nf_tables: restore too deep jumpstack validation

Fri, 03 Aug 2018 14:56:51 -0700 

Otherwise this breaks nested jump to chain to reach the maximum depth.

  #!/bin/bash
  nft add table ip filter
  nft add chain ip filter input { type filter hook input priority 0\; }
  for ((i=0;i<20;i++)); do
     nft add chain ip filter a$i
  done
  nft add rule ip filter input jump a1
  for ((i=0;i<10;i++)); do
     nft add rule ip filter a$i jump a$((i+1))
  done
  for ((i=11;i<19;i++)); do
     nft add rule ip filter a$i jump a$((i+1))
  done

  nft add rule ip filter a10 jump a11

This patch is a partial revert.

Fixes: 26b2f552525c ("netfilter: nf_tables: fix jumpstack depth validation")
Signed-off-by: Pablo Neira Ayuso <[email protected]>
---
 include/net/netfilter/nf_tables.h | 2 ++
 net/netfilter/nf_tables_api.c     | 7 +++++++
 2 files changed, 9 insertions(+)

diff --git a/include/net/netfilter/nf_tables.h 
b/include/net/netfilter/nf_tables.h
index dc417ef0a0c5..d47c2426ebb3 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -867,6 +867,7 @@ enum nft_chain_flags {
  *     @table: table that this chain belongs to
  *     @handle: chain handle
  *     @use: number of jump references to this chain
+ *     @level: length of longest path to this chain
  *     @flags: bitmask of enum nft_chain_flags
  *     @name: name of the chain
  */
@@ -879,6 +880,7 @@ struct nft_chain {
        struct nft_table                *table;
        u64                             handle;
        u32                             use;
+       u16                             level;
        u8                              flags:6,
                                        genmask:2;
        char                            *name;
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 67cdd5c4f4f5..063004fab9de 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -6940,6 +6940,13 @@ int nft_validate_register_store(const struct nft_ctx 
*ctx,
                        err = nf_tables_check_loops(ctx, data->verdict.chain);
                        if (err < 0)
                                return err;
+
+                       if (ctx->chain->level + 1 >
+                           data->verdict.chain->level) {
+                               if (ctx->chain->level + 1 == 
NFT_JUMP_STACK_SIZE)
+                                       return -EMLINK;
+                               data->verdict.chain->level = ctx->chain->level 
+ 1;
+                       }
                }
 
                return 0;
-- 
2.11.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to