svn commit: r290332 - head/sys/netpfil/ipfw

Andrey V. Elsukov ae at FreeBSD.org
Tue Nov 3 10:29:48 UTC 2015 

Author: ae
Date: Tue Nov  3 10:29:46 2015
New Revision: 290332
URL: https://svnweb.freebsd.org/changeset/base/290332

Log:
  Add ipfw_check_object_name_generic() function to do basic checks for an
  object name correctness. Each type of object can do more strict checking
  in own implementation. Do such checks for tables in check_table_name().
  
  Reviewed by:	melifaro
  Obtained from:	Yandex LLC
  Sponsored by:	Yandex LLC

Modified:
  head/sys/netpfil/ipfw/ip_fw_private.h
  head/sys/netpfil/ipfw/ip_fw_sockopt.c
  head/sys/netpfil/ipfw/ip_fw_table.c
  head/sys/netpfil/ipfw/ip_fw_table.h

Modified: head/sys/netpfil/ipfw/ip_fw_private.h
==============================================================================
--- head/sys/netpfil/ipfw/ip_fw_private.h	Tue Nov  3 10:24:54 2015	(r290331)
+++ head/sys/netpfil/ipfw/ip_fw_private.h	Tue Nov  3 10:29:46 2015	(r290332)
@@ -693,6 +693,7 @@ void update_opcode_kidx(ipfw_insn *cmd, 
 int classify_opcode_kidx(ipfw_insn *cmd, uint16_t *puidx);
 void ipfw_init_srv(struct ip_fw_chain *ch);
 void ipfw_destroy_srv(struct ip_fw_chain *ch);
+int ipfw_check_object_name_generic(const char *name);
 
 /* In ip_fw_table.c */
 struct table_info;

Modified: head/sys/netpfil/ipfw/ip_fw_sockopt.c
==============================================================================
--- head/sys/netpfil/ipfw/ip_fw_sockopt.c	Tue Nov  3 10:24:54 2015	(r290331)
+++ head/sys/netpfil/ipfw/ip_fw_sockopt.c	Tue Nov  3 10:29:46 2015	(r290332)
@@ -2156,19 +2156,16 @@ cleanup:
 	return (error);
 }
 
-static int
-check_object_name(ipfw_obj_ntlv *ntlv)
+int
+ipfw_check_object_name_generic(const char *name)
 {
-	int error;
-
-	switch (ntlv->head.type) {
-	case IPFW_TLV_TBL_NAME:
-		error = ipfw_check_table_name(ntlv->name);
-		break;
-	default:
-		error = ENOTSUP;
-	}
+	int nsize;
 
+	nsize = sizeof(((ipfw_obj_ntlv *)0)->name);
+	if (strnlen(name, nsize) == nsize)
+		return (EINVAL);
+	if (name[0] == '\0')
+		return (EINVAL);
 	return (0);
 }
 
@@ -2483,7 +2480,7 @@ add_rules(struct ip_fw_chain *chain, ip_
 			if (ntlv->head.length != sizeof(ipfw_obj_ntlv))
 				return (EINVAL);
 
-			error = check_object_name(ntlv);
+			error = ipfw_check_object_name_generic(ntlv->name);
 			if (error != 0)
 				return (error);
 

Modified: head/sys/netpfil/ipfw/ip_fw_table.c
==============================================================================
--- head/sys/netpfil/ipfw/ip_fw_table.c	Tue Nov  3 10:24:54 2015	(r290331)
+++ head/sys/netpfil/ipfw/ip_fw_table.c	Tue Nov  3 10:29:46 2015	(r290332)
@@ -115,6 +115,7 @@ static int dump_table_xentry(void *e, vo
 static int swap_tables(struct ip_fw_chain *ch, struct tid_info *a,
     struct tid_info *b);
 
+static int check_table_name(const char *name);
 static int check_table_space(struct ip_fw_chain *ch, struct tableop_state *ts,
     struct table_config *tc, struct table_info *ti, uint32_t count);
 static int destroy_table(struct ip_fw_chain *ch, struct tid_info *ti);
@@ -1794,7 +1795,7 @@ modify_table(struct ip_fw_chain *ch, ip_
 	 * Check for null-terminated/zero-length strings/
 	 */
 	tname = oh->ntlv.name;
-	if (ipfw_check_table_name(tname) != 0)
+	if (check_table_name(tname) != 0)
 		return (EINVAL);
 
 	objheader_to_ti(oh, &ti);
@@ -1851,7 +1852,7 @@ create_table(struct ip_fw_chain *ch, ip_
 	 */
 	tname = oh->ntlv.name;
 	aname = i->algoname;
-	if (ipfw_check_table_name(tname) != 0 ||
+	if (check_table_name(tname) != 0 ||
 	    strnlen(aname, sizeof(i->algoname)) == sizeof(i->algoname))
 		return (EINVAL);
 
@@ -2915,25 +2916,14 @@ static struct opcode_obj_rewrite opcodes
  *
  * Returns 0 if name is considered valid.
  */
-int
-ipfw_check_table_name(char *name)
+static int
+check_table_name(const char *name)
 {
-	int nsize;
-	ipfw_obj_ntlv *ntlv = NULL;
-
-	nsize = sizeof(ntlv->name);
-
-	if (strnlen(name, nsize) == nsize)
-		return (EINVAL);
-
-	if (name[0] == '\0')
-		return (EINVAL);
 
 	/*
 	 * TODO: do some more complicated checks
 	 */
-
-	return (0);
+	return (ipfw_check_object_name_generic(name));
 }
 
 /*
@@ -2965,7 +2955,7 @@ find_name_tlv(void *tlvs, int len, uint1
 		if (ntlv->idx != uidx)
 			continue;
 
-		if (ipfw_check_table_name(ntlv->name) != 0)
+		if (check_table_name(ntlv->name) != 0)
 			return (NULL);
 		
 		return (ntlv);

Modified: head/sys/netpfil/ipfw/ip_fw_table.h
==============================================================================
--- head/sys/netpfil/ipfw/ip_fw_table.h	Tue Nov  3 10:24:54 2015	(r290331)
+++ head/sys/netpfil/ipfw/ip_fw_table.h	Tue Nov  3 10:29:46 2015	(r290332)
@@ -187,7 +187,6 @@ void ipfw_unref_rule_tables(struct ip_fw
 struct namedobj_instance *ipfw_get_table_objhash(struct ip_fw_chain *ch);
 
 /* utility functions  */
-int ipfw_check_table_name(char *name);
 int ipfw_move_tables_sets(struct ip_fw_chain *ch, ipfw_range_tlv *rt,
     uint32_t new_set);
 void ipfw_swap_tables_sets(struct ip_fw_chain *ch, uint32_t old_set,

More information about the svn-src-head mailing list