parser: cap comment length to 128 bytes

Pablo rewrites this description to:

"The user data area available is 256 bytes (NFT_USERDATA_MAXLEN). We plan
to allow storing other useful information such as datatypes in set
elements, so make sure there is room for this."

Example:
> nft add table t
> nft add chain t c
> nft add rule t c ip saddr 1.1.1.1 counter comment "abc...xyz" # len > 128
<cmdline>:1:47-N: Error: Comment too long. 128 characters maximum allowed
add rule t c ip saddr 1.1.1.1 counter comment abc...xyz
                                              ^^^^^^^^^

Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/rule.h b/include/rule.h
index bd24648de7de04b898d4b9667d7605bcf1a639cd..7e8daac947eaee7c9a1a12c2263aefc6eaefe39b 100644 (file)
--- a/include/rule.h
+++ b/include/rule.h
@@ -428,4 +428,6 @@ enum udata_type {
 };
 #define UDATA_TYPE_MAX (__UDATA_TYPE_MAX - 1)
 
+#define UDATA_COMMENT_MAXLEN 128
+
 #endif /* NFTABLES_RULE_H */

diff --git a/src/parser_bison.y b/src/parser_bison.y
index 6f51a49da4aa25f3b8b16ceae98fe969cdf0e6db..dfdf23777e747d839de2b08c6a05cdbea526c81c 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1275,6 +1275,11 @@ ruleid_spec              :       chain_spec      handle_spec     position_spec
 
 comment_spec           :       COMMENT         string
                        {
+                               if (strlen($2) > UDATA_COMMENT_MAXLEN) {
+                                       erec_queue(error(&@2, "comment too long, %d characters maximum allowed", UDATA_COMMENT_MAXLEN),
+                                                  state->msgs);
+                                       YYERROR;
+                               }
                                $$ = $2;
                        }
                        ;