netfilter: helper: add build-time asserts for helper data size

add a 32 byte scratch area in the helper struct instead of relying
on variable sized helpers plus compile-time asserts to let us know
if 32 bytes aren't enough anymore.

Not having variable sized helpers will later allow to add BUILD_BUG_ON
for the total size of conntrack extensions -- the helper extension is
the only one that doesn't have a fixed size.

The (useless!) NF_CT_HELPER_BUILD_BUG_ON(0); are added so that in case
someone adds a new helper and copy-pastes from one that doesn't store
private data at least some indication that this macro should be used
somehow is there...

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h
index 15d746558665540720278907c052a167b460a5dd..29539ed1008f7117e3b33b995dc6c70852ca8831 100644 (file)
--- a/include/net/netfilter/nf_conntrack_helper.h
+++ b/include/net/netfilter/nf_conntrack_helper.h
@@ -66,9 +66,12 @@ struct nf_conn_help {
        u8 expecting[NF_CT_MAX_EXPECT_CLASSES];
 
        /* private helper information. */
-       char data[];
+       char data[32] __aligned(8);
 };
 
+#define NF_CT_HELPER_BUILD_BUG_ON(structsize) \
+       BUILD_BUG_ON((structsize) > FIELD_SIZEOF(struct nf_conn_help, data))
+
 struct nf_conntrack_helper *__nf_conntrack_helper_find(const char *name,
                                                       u16 l3num, u8 protonum);
 

diff --git a/net/netfilter/nf_conntrack_amanda.c b/net/netfilter/nf_conntrack_amanda.c
index 57a26cc90c9fada2be251d6718f8b814e059beea..03d2ccffa9fa3c1eecfbc07dcadc420a0ab5e315 100644 (file)
--- a/net/netfilter/nf_conntrack_amanda.c
+++ b/net/netfilter/nf_conntrack_amanda.c
@@ -207,6 +207,8 @@ static int __init nf_conntrack_amanda_init(void)
 {
        int ret, i;
 
+       NF_CT_HELPER_BUILD_BUG_ON(0);
+
        for (i = 0; i < ARRAY_SIZE(search); i++) {
                search[i].ts = textsearch_prepare(ts_algo, search[i].string,
                                                  search[i].len,

diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index 4aecef4a89fb135e5b50ac382f19645aafaaff94..58e1256cd05d88849a2b55421fb0abea5cc3df88 100644 (file)
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -577,6 +577,8 @@ static int __init nf_conntrack_ftp_init(void)
 {
        int i, ret = 0;
 
+       NF_CT_HELPER_BUILD_BUG_ON(sizeof(struct nf_ct_ftp_master));
+
        ftp_buffer = kmalloc(65536, GFP_KERNEL);
        if (!ftp_buffer)
                return -ENOMEM;

diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
index f65d93639d12595884081726808f4c1e17caec03..e98204349efea9d0dfeabed228e31721590fd12d 100644 (file)
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -1836,6 +1836,8 @@ static int __init nf_conntrack_h323_init(void)
 {
        int ret;
 
+       NF_CT_HELPER_BUILD_BUG_ON(sizeof(struct nf_ct_h323_master));
+
        h323_buffer = kmalloc(65536, GFP_KERNEL);
        if (!h323_buffer)
                return -ENOMEM;

diff --git a/net/netfilter/nf_conntrack_netbios_ns.c b/net/netfilter/nf_conntrack_netbios_ns.c
index 4c8f30a3d6d2762e69604c4b1f6cd6821663bc64..496ce173f0c1937c73fb360e402c9c3e3936e1e9 100644 (file)
--- a/net/netfilter/nf_conntrack_netbios_ns.c
+++ b/net/netfilter/nf_conntrack_netbios_ns.c
@@ -58,6 +58,8 @@ static struct nf_conntrack_helper helper __read_mostly = {
 
 static int __init nf_conntrack_netbios_ns_init(void)
 {
+       NF_CT_HELPER_BUILD_BUG_ON(0);
+
        exp_policy.timeout = timeout;
        return nf_conntrack_helper_register(&helper);
 }

diff --git a/net/netfilter/nf_conntrack_pptp.c b/net/netfilter/nf_conntrack_pptp.c
index f60a4755d71e2b0763be35e07976e02169e1b01e..34fac4c52c4cdfdf456707780b19fce74699c8ef 100644 (file)
--- a/net/netfilter/nf_conntrack_pptp.c
+++ b/net/netfilter/nf_conntrack_pptp.c
@@ -607,6 +607,8 @@ static struct nf_conntrack_helper pptp __read_mostly = {
 
 static int __init nf_conntrack_pptp_init(void)
 {
+       NF_CT_HELPER_BUILD_BUG_ON(sizeof(struct nf_ct_pptp_master));
+
        return nf_conntrack_helper_register(&pptp);
 }
 

diff --git a/net/netfilter/nf_conntrack_sane.c b/net/netfilter/nf_conntrack_sane.c
index 9dcb9ee9b97d53361c73df05aa5fe9923e933bda..1121db08d0489beafad5ea1955ec1883392d21d2 100644 (file)
--- a/net/netfilter/nf_conntrack_sane.c
+++ b/net/netfilter/nf_conntrack_sane.c
@@ -184,6 +184,8 @@ static int __init nf_conntrack_sane_init(void)
 {
        int i, ret = 0;
 
+       NF_CT_HELPER_BUILD_BUG_ON(sizeof(struct nf_ct_sane_master));
+
        sane_buffer = kmalloc(65536, GFP_KERNEL);
        if (!sane_buffer)
                return -ENOMEM;

diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 91a9c97b7e9a5eef38db64c2fe4b4b50215cdc77..79bbcc4d52ee6b4d4715d07d1dec8925cd7f04d6 100644 (file)
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -1622,6 +1622,8 @@ static int __init nf_conntrack_sip_init(void)
 {
        int i, ret;
 
+       NF_CT_HELPER_BUILD_BUG_ON(sizeof(struct nf_ct_sip_master));
+
        if (ports_c == 0)
                ports[ports_c++] = SIP_PORT;
 

diff --git a/net/netfilter/nf_conntrack_tftp.c b/net/netfilter/nf_conntrack_tftp.c
index b1227dc6f75e115c8cb2e88e488c9349686891a0..27e2f6f904dcfacd609a1e88962ff5596395e18a 100644 (file)
--- a/net/netfilter/nf_conntrack_tftp.c
+++ b/net/netfilter/nf_conntrack_tftp.c
@@ -113,6 +113,8 @@ static int __init nf_conntrack_tftp_init(void)
 {
        int i, ret;
 
+       NF_CT_HELPER_BUILD_BUG_ON(0);
+
        if (ports_c == 0)
                ports[ports_c++] = TFTP_PORT;