I reviewed the previously rejected changes in "Sanitize calls to
strcpy()" again and found merely two valid ones:
* Copying from 'real_name' of matches/targets: Length of that field is
not checked xtables_register_* functions, so it's length may be
arbitrary. Patch 1 of this series adds the
This simplifies code a bit since it takes care of checking for
out-of-memory conditions.
Signed-off-by: Phil Sutter
---
iptables/nft-shared.c | 13 ++---
1 file changed, 2 insertions(+), 11 deletions(-)
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index
Just like with 'name', if given check 'real_name' to not exceed max
length.
Signed-off-by: Phil Sutter
---
libxtables/xtables.c | 12
1 file changed, 12 insertions(+)
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 6dd0b152dfecf..34a084f47c290 100644
---
This merges the basically identical implementations of command_match()
from xtables, iptables and ip6tables into one. The only required
adjustment was to make use of xt_params instead of the different
*_globals objects.
Signed-off-by: Phil Sutter
---
iptables/ip6tables.c | 35
Merge these two functions from xtables, iptables, ip6tables and
arptables. Both functions were basically identical in the first three,
only the last one required a bit more attention.
To eliminate access to 'invflags' in variant-specific location, move the
call to set_option() into callers. This
No point in having a dedicated implementation for 'parse_target'
callback since it is identical with the shared one.
Signed-off-by: Phil Sutter
---
iptables/nft-arp.c | 9 +
1 file changed, 1 insertion(+), 8 deletions(-)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index
On 9/24/18 6:10 AM, Florian Westphal wrote:
> Unfortunately some versions of gcc emit following warning:
> $ make net/xfrm/xfrm_output.o
> linux/compiler.h:252:20: warning: array subscript is above array bounds
> [-Warray-bounds]
> hook_head = rcu_dereference(net->nf.hooks_arp[hook]);
>
Internally, rhashtable_lookup_fast() calls rcu_read_lock() then,
calls rhashtable_lookup(). so that in places where are guaranteed
by rcu read lock, rhashtable_lookup() is enough.
Signed-off-by: Taehee Yoo
---
net/netfilter/nf_flow_table_core.c | 4 ++--
net/netfilter/nft_set_hash.c | 8
nf_flow_offload_{ip/ipv6}_hook() check nat flag then, call
nf_flow_nat_{ip/ipv6} but that also check nat flag. so that
nat flag check code in nf_flow_offload_{ip/ipv6}_hook() are unnecessary.
Signed-off-by: Taehee Yoo
---
net/netfilter/nf_flow_table_ip.c | 6 ++
1 file changed, 2
Phil Sutter wrote:
> - use snprintf(),
> - use strlcpy() from libbsd or
> - introduce a poor-man's strlcpy() macro/function.
>
> What would you prefer? Leave everything as-is, one of the above or
> something completely different? :)
I don't really care that much, I'd avoid adding new dependency
Hi Florian,
On Mon, Sep 24, 2018 at 11:11:59AM +0200, Florian Westphal wrote:
> Phil Sutter wrote:
> > Make sure destination buffers are NULL-terminated by replacing strcpy()
> > with strncat() (if destination is guaranteed to be zeroed) or explicitly
> > set last byte in buffer to zero.
>
>
Phil Sutter wrote:
> Make sure destination buffers are NULL-terminated by replacing strcpy()
> with strncat() (if destination is guaranteed to be zeroed) or explicitly
> set last byte in buffer to zero.
I'm sorry, but i don't like this at all.
> - strcpy(cs->target->t->u.user.name,
12 matches
Mail list logo