netfilter buglog - Aug 2020 - [Bug 1459] New: EMLINK error for NFT_GOTO

https://bugzilla.netfilter.org/show_bug.cgi?id=1459

            Bug ID: 1459
           Summary: EMLINK error for NFT_GOTO
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: kernel
          Assignee: pablo at netfilter.org
          Reporter: steve at opendium.com

Created attachment 605
  --> https://bugzilla.netfilter.org/attachment.cgi?id=605&action=edit
Don't increment pctx->level when following gotos

nft_immediate_validate() and nft_lookup_validate_setelem() treat NFT_GOTO and
NFT_JUMP identically, incrementing pctx->level for both.  This results in a
-EMLINK ("Too many links") being unexpectedly returned for rulesets
that use
lots of gotos.

Having looked at other parts of the code, I can't see a reason for
incrementing
the stack level for NFT_GOTO - it doesn't appear to use any real stack
space.

The attached patch fixes this problem.


A couple of stylistic comments on the code, which I haven't attempted to
fix:
1. ctx is passed as a const, but the constness is cast away, which isn't
great
practice.
2. ctx->level is modified, even though ctx is passed as a const, and in the
case of an error the original value isn't restored.  I'm guessing that
the
caller probably throws away ctx anyway, so this probably doesn't have any
real-world implications, other than the potential for future bugs introduced by
someone expecting const to mean const.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200828/9f44392c/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1459

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Patch looks good, could you submit this to netfilter-devel at vger.kernel.org?

Please add you Signed-off-by: tag to you patch

See:

https://www.kernel.org/doc/html/v4.17/process/submitting-patches.html#developer-s-certificate-of-origin-1-1

for more information.

Thanks.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200828/0c14588a/attachment.html>