d9f08f29ae
* Thu Nov 07 2024 Phil Sutter <psutter@redhat.com> [1.1.1-1.el10] - monitor: Recognize flowtable add/del events (Phil Sutter) [RHEL-65346] - tests: py: Fix for storing payload into missing file (Phil Sutter) [RHEL-65346] - json: Support typeof in set and map types (Phil Sutter) [RHEL-65346] - json: collapse set element commands from parser (Phil Sutter) [RHEL-65346] - doc: extend description of fib expression (Phil Sutter) [RHEL-65346] - tests: monitor: fix up test case breakage (Phil Sutter) [RHEL-65346] - src: fix extended netlink error reporting with large set elements (Phil Sutter) [RHEL-65346] - rule: netlink attribute offset is uint32_t for struct nlerr_loc (Phil Sutter) [RHEL-65346] - mnl: update cmd_add_loc() to take struct nlmsghdr (Phil Sutter) [RHEL-65346] - mnl: rename to mnl_seqnum_alloc() to mnl_seqnum_inc() (Phil Sutter) [RHEL-65346] - src: collapse set element commands from parser (Phil Sutter) [RHEL-65346] - libnftables-json: fix raw payload expression documentation (Phil Sutter) [RHEL-65346] - tests: shell: fix spurious dump failure in vmap timeout test (Phil Sutter) [RHEL-65346] - Rebase onto version 1.1.1 (Phil Sutter) [RHEL-65346] Resolves: RHEL-65346
59 lines
1.8 KiB
Diff
59 lines
1.8 KiB
Diff
From 66dc95d7a3f7c0e4527f4e960f5c397fd3b82af5 Mon Sep 17 00:00:00 2001
|
|
From: Phil Sutter <psutter@redhat.com>
|
|
Date: Thu, 7 Nov 2024 18:38:45 +0100
|
|
Subject: [PATCH] rule: netlink attribute offset is uint32_t for struct
|
|
nlerr_loc
|
|
|
|
JIRA: https://issues.redhat.com/browse/RHEL-65346
|
|
Upstream Status: nftables commit 42b081df747729b0d83b69d2816be4091af56a58
|
|
|
|
commit 42b081df747729b0d83b69d2816be4091af56a58
|
|
Author: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Date: Thu Oct 24 00:08:24 2024 +0200
|
|
|
|
rule: netlink attribute offset is uint32_t for struct nlerr_loc
|
|
|
|
The maximum netlink message length (nlh->nlmsg_len) is uint32_t, struct
|
|
nlerr_loc stores the offset to the netlink attribute which must be
|
|
uint32_t, not uint16_t.
|
|
|
|
While at it, remove check for zero netlink attribute offset in
|
|
nft_cmd_error() which should not ever happen, likely this check was
|
|
there to prevent the uint16_t offset overflow.
|
|
|
|
Fixes: f8aec603aa7e ("src: initial extended netlink error reporting")
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
---
|
|
include/rule.h | 2 +-
|
|
src/cmd.c | 2 --
|
|
2 files changed, 1 insertion(+), 3 deletions(-)
|
|
|
|
diff --git a/include/rule.h b/include/rule.h
|
|
index a1628d8..3fcfa44 100644
|
|
--- a/include/rule.h
|
|
+++ b/include/rule.h
|
|
@@ -695,7 +695,7 @@ void monitor_free(struct monitor *m);
|
|
#define NFT_NLATTR_LOC_MAX 32
|
|
|
|
struct nlerr_loc {
|
|
- uint16_t offset;
|
|
+ uint32_t offset;
|
|
const struct location *location;
|
|
};
|
|
|
|
diff --git a/src/cmd.c b/src/cmd.c
|
|
index 78a2aa3..0c7a43e 100644
|
|
--- a/src/cmd.c
|
|
+++ b/src/cmd.c
|
|
@@ -323,8 +323,6 @@ void nft_cmd_error(struct netlink_ctx *ctx, struct cmd *cmd,
|
|
uint32_t i;
|
|
|
|
for (i = 0; i < cmd->num_attrs; i++) {
|
|
- if (!cmd->attr[i].offset)
|
|
- break;
|
|
if (cmd->attr[i].offset == err->offset)
|
|
loc = cmd->attr[i].location;
|
|
}
|