ipfilter: Add ipf_check_names_string()
ipf_check_names_string will verify userland inputs in names strings (fr.fr_names, in.in_names) for correctness. Original concept of ipf_check_names_string() instead of macros by markj. Reviewed by: markj MFC after: 1 week Differential revision: https://reviews.freebsd.org/D53843
This commit is contained in:
@@ -9951,3 +9951,34 @@ ipf_inet6_mask_del(int bits, i6addr_t *mask, ipf_v6_masktab_t *mtab)
|
||||
ASSERT(mtab->imt6_max >= 0);
|
||||
}
|
||||
#endif
|
||||
|
||||
/* ------------------------------------------------------------------------ */
|
||||
/* Function: ipf_check_names_string */
|
||||
/* Returns: int - 0 == success */
|
||||
/* - 1 == negative offset */
|
||||
/* - 2 == offset exceds namelen */
|
||||
/* - 3 == string exceeds the names string */
|
||||
/* Parameters: names - pointer to names string */
|
||||
/* namelen - total length of names string */
|
||||
/* offset - offset into names string */
|
||||
/* */
|
||||
/* Validate the names string (fr_names for ipfilter, in_names for ipnat). */
|
||||
/* ------------------------------------------------------------------------ */
|
||||
int
|
||||
ipf_check_names_string(char *names, int namelen, int offset)
|
||||
{
|
||||
const char *name;
|
||||
size_t len;
|
||||
|
||||
if (offset == -1)
|
||||
return (0);
|
||||
if (offset < 0)
|
||||
return (1);
|
||||
if (offset > namelen)
|
||||
return (2);
|
||||
name = &names[offset];
|
||||
len = strnlen(name, namelen - offset);
|
||||
if (len == namelen - offset)
|
||||
return (3);
|
||||
return (0);
|
||||
}
|
||||
|
||||
@@ -1859,5 +1859,6 @@ extern int ipf_ht_node_del(host_track_t *, int, i6addr_t *);
|
||||
extern void ipf_rb_ht_flush(host_track_t *);
|
||||
extern void ipf_rb_ht_freenode(host_node_t *, void *);
|
||||
extern void ipf_rb_ht_init(host_track_t *);
|
||||
extern int ipf_check_names_string(char *, int, int);
|
||||
|
||||
#endif /* __IP_FIL_H__ */
|
||||
|
||||
Reference in New Issue
Block a user