1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * NETLINK Netlink attributes 4 * 5 * Authors: Thomas Graf <tgraf@suug.ch> 6 * Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> 7 */ 8 9 #include <linux/export.h> 10 #include <linux/kernel.h> 11 #include <linux/errno.h> 12 #include <linux/jiffies.h> 13 #include <linux/skbuff.h> 14 #include <linux/string.h> 15 #include <linux/types.h> 16 #include <net/netlink.h> 17 18 /* For these data types, attribute length should be exactly the given 19 * size. However, to maintain compatibility with broken commands, if the 20 * attribute length does not match the expected size a warning is emitted 21 * to the user that the command is sending invalid data and needs to be fixed. 22 */ 23 static const u8 nla_attr_len[NLA_TYPE_MAX+1] = { 24 [NLA_U8] = sizeof(u8), 25 [NLA_U16] = sizeof(u16), 26 [NLA_U32] = sizeof(u32), 27 [NLA_U64] = sizeof(u64), 28 [NLA_S8] = sizeof(s8), 29 [NLA_S16] = sizeof(s16), 30 [NLA_S32] = sizeof(s32), 31 [NLA_S64] = sizeof(s64), 32 }; 33 34 static const u8 nla_attr_minlen[NLA_TYPE_MAX+1] = { 35 [NLA_U8] = sizeof(u8), 36 [NLA_U16] = sizeof(u16), 37 [NLA_U32] = sizeof(u32), 38 [NLA_U64] = sizeof(u64), 39 [NLA_MSECS] = sizeof(u64), 40 [NLA_NESTED] = NLA_HDRLEN, 41 [NLA_S8] = sizeof(s8), 42 [NLA_S16] = sizeof(s16), 43 [NLA_S32] = sizeof(s32), 44 [NLA_S64] = sizeof(s64), 45 }; 46 47 static int validate_nla_bitfield32(const struct nlattr *nla, 48 u32 *valid_flags_allowed) 49 { 50 const struct nla_bitfield32 *bf = nla_data(nla); 51 u32 *valid_flags_mask = valid_flags_allowed; 52 53 if (!valid_flags_allowed) 54 return -EINVAL; 55 56 /*disallow invalid bit selector */ 57 if (bf->selector & ~*valid_flags_mask) 58 return -EINVAL; 59 60 /*disallow invalid bit values */ 61 if (bf->value & ~*valid_flags_mask) 62 return -EINVAL; 63 64 /*disallow valid bit values that are not selected*/ 65 if (bf->value & ~bf->selector) 66 return -EINVAL; 67 68 return 0; 69 } 70 71 static int validate_nla(const struct nlattr *nla, int maxtype, 72 const struct nla_policy *policy, 73 const char **error_msg) 74 { 75 const struct nla_policy *pt; 76 int minlen = 0, attrlen = nla_len(nla), type = nla_type(nla); 77 78 if (type <= 0 || type > maxtype) 79 return 0; 80 81 pt = &policy[type]; 82 83 BUG_ON(pt->type > NLA_TYPE_MAX); 84 85 if ((nla_attr_len[pt->type] && attrlen != nla_attr_len[pt->type]) || 86 (pt->type == NLA_EXACT_LEN_WARN && attrlen != pt->len)) { 87 pr_warn_ratelimited("netlink: '%s': attribute type %d has an invalid length.\n", 88 current->comm, type); 89 } 90 91 switch (pt->type) { 92 case NLA_EXACT_LEN: 93 if (attrlen != pt->len) 94 return -ERANGE; 95 break; 96 97 case NLA_REJECT: 98 if (pt->validation_data && error_msg) 99 *error_msg = pt->validation_data; 100 return -EINVAL; 101 102 case NLA_FLAG: 103 if (attrlen > 0) 104 return -ERANGE; 105 break; 106 107 case NLA_BITFIELD32: 108 if (attrlen != sizeof(struct nla_bitfield32)) 109 return -ERANGE; 110 111 return validate_nla_bitfield32(nla, pt->validation_data); 112 113 case NLA_NUL_STRING: 114 if (pt->len) 115 minlen = min_t(int, attrlen, pt->len + 1); 116 else 117 minlen = attrlen; 118 119 if (!minlen || memchr(nla_data(nla), '\0', minlen) == NULL) 120 return -EINVAL; 121 /* fall through */ 122 123 case NLA_STRING: 124 if (attrlen < 1) 125 return -ERANGE; 126 127 if (pt->len) { 128 char *buf = nla_data(nla); 129 130 if (buf[attrlen - 1] == '\0') 131 attrlen--; 132 133 if (attrlen > pt->len) 134 return -ERANGE; 135 } 136 break; 137 138 case NLA_BINARY: 139 if (pt->len && attrlen > pt->len) 140 return -ERANGE; 141 break; 142 143 case NLA_NESTED_COMPAT: 144 if (attrlen < pt->len) 145 return -ERANGE; 146 if (attrlen < NLA_ALIGN(pt->len)) 147 break; 148 if (attrlen < NLA_ALIGN(pt->len) + NLA_HDRLEN) 149 return -ERANGE; 150 nla = nla_data(nla) + NLA_ALIGN(pt->len); 151 if (attrlen < NLA_ALIGN(pt->len) + NLA_HDRLEN + nla_len(nla)) 152 return -ERANGE; 153 break; 154 case NLA_NESTED: 155 /* a nested attributes is allowed to be empty; if its not, 156 * it must have a size of at least NLA_HDRLEN. 157 */ 158 if (attrlen == 0) 159 break; 160 default: 161 if (pt->len) 162 minlen = pt->len; 163 else if (pt->type != NLA_UNSPEC) 164 minlen = nla_attr_minlen[pt->type]; 165 166 if (attrlen < minlen) 167 return -ERANGE; 168 } 169 170 return 0; 171 } 172 173 /** 174 * nla_validate - Validate a stream of attributes 175 * @head: head of attribute stream 176 * @len: length of attribute stream 177 * @maxtype: maximum attribute type to be expected 178 * @policy: validation policy 179 * @extack: extended ACK report struct 180 * 181 * Validates all attributes in the specified attribute stream against the 182 * specified policy. Attributes with a type exceeding maxtype will be 183 * ignored. See documenation of struct nla_policy for more details. 184 * 185 * Returns 0 on success or a negative error code. 186 */ 187 int nla_validate(const struct nlattr *head, int len, int maxtype, 188 const struct nla_policy *policy, 189 struct netlink_ext_ack *extack) 190 { 191 const struct nlattr *nla; 192 int rem; 193 194 nla_for_each_attr(nla, head, len, rem) { 195 int err = validate_nla(nla, maxtype, policy, NULL); 196 197 if (err < 0) { 198 NL_SET_BAD_ATTR(extack, nla); 199 return err; 200 } 201 } 202 203 return 0; 204 } 205 EXPORT_SYMBOL(nla_validate); 206 207 /** 208 * nla_policy_len - Determin the max. length of a policy 209 * @policy: policy to use 210 * @n: number of policies 211 * 212 * Determines the max. length of the policy. It is currently used 213 * to allocated Netlink buffers roughly the size of the actual 214 * message. 215 * 216 * Returns 0 on success or a negative error code. 217 */ 218 int 219 nla_policy_len(const struct nla_policy *p, int n) 220 { 221 int i, len = 0; 222 223 for (i = 0; i < n; i++, p++) { 224 if (p->len) 225 len += nla_total_size(p->len); 226 else if (nla_attr_len[p->type]) 227 len += nla_total_size(nla_attr_len[p->type]); 228 else if (nla_attr_minlen[p->type]) 229 len += nla_total_size(nla_attr_minlen[p->type]); 230 } 231 232 return len; 233 } 234 EXPORT_SYMBOL(nla_policy_len); 235 236 /** 237 * nla_parse - Parse a stream of attributes into a tb buffer 238 * @tb: destination array with maxtype+1 elements 239 * @maxtype: maximum attribute type to be expected 240 * @head: head of attribute stream 241 * @len: length of attribute stream 242 * @policy: validation policy 243 * 244 * Parses a stream of attributes and stores a pointer to each attribute in 245 * the tb array accessible via the attribute type. Attributes with a type 246 * exceeding maxtype will be silently ignored for backwards compatibility 247 * reasons. policy may be set to NULL if no validation is required. 248 * 249 * Returns 0 on success or a negative error code. 250 */ 251 int nla_parse(struct nlattr **tb, int maxtype, const struct nlattr *head, 252 int len, const struct nla_policy *policy, 253 struct netlink_ext_ack *extack) 254 { 255 const struct nlattr *nla; 256 int rem, err; 257 258 memset(tb, 0, sizeof(struct nlattr *) * (maxtype + 1)); 259 260 nla_for_each_attr(nla, head, len, rem) { 261 u16 type = nla_type(nla); 262 263 if (type > 0 && type <= maxtype) { 264 static const char _msg[] = "Attribute failed policy validation"; 265 const char *msg = _msg; 266 267 if (policy) { 268 err = validate_nla(nla, maxtype, policy, &msg); 269 if (err < 0) { 270 NL_SET_BAD_ATTR(extack, nla); 271 if (extack) 272 extack->_msg = msg; 273 goto errout; 274 } 275 } 276 277 tb[type] = (struct nlattr *)nla; 278 } 279 } 280 281 if (unlikely(rem > 0)) 282 pr_warn_ratelimited("netlink: %d bytes leftover after parsing attributes in process `%s'.\n", 283 rem, current->comm); 284 285 err = 0; 286 errout: 287 return err; 288 } 289 EXPORT_SYMBOL(nla_parse); 290 291 /** 292 * nla_find - Find a specific attribute in a stream of attributes 293 * @head: head of attribute stream 294 * @len: length of attribute stream 295 * @attrtype: type of attribute to look for 296 * 297 * Returns the first attribute in the stream matching the specified type. 298 */ 299 struct nlattr *nla_find(const struct nlattr *head, int len, int attrtype) 300 { 301 const struct nlattr *nla; 302 int rem; 303 304 nla_for_each_attr(nla, head, len, rem) 305 if (nla_type(nla) == attrtype) 306 return (struct nlattr *)nla; 307 308 return NULL; 309 } 310 EXPORT_SYMBOL(nla_find); 311 312 /** 313 * nla_strlcpy - Copy string attribute payload into a sized buffer 314 * @dst: where to copy the string to 315 * @nla: attribute to copy the string from 316 * @dstsize: size of destination buffer 317 * 318 * Copies at most dstsize - 1 bytes into the destination buffer. 319 * The result is always a valid NUL-terminated string. Unlike 320 * strlcpy the destination buffer is always padded out. 321 * 322 * Returns the length of the source buffer. 323 */ 324 size_t nla_strlcpy(char *dst, const struct nlattr *nla, size_t dstsize) 325 { 326 size_t srclen = nla_len(nla); 327 char *src = nla_data(nla); 328 329 if (srclen > 0 && src[srclen - 1] == '\0') 330 srclen--; 331 332 if (dstsize > 0) { 333 size_t len = (srclen >= dstsize) ? dstsize - 1 : srclen; 334 335 memset(dst, 0, dstsize); 336 memcpy(dst, src, len); 337 } 338 339 return srclen; 340 } 341 EXPORT_SYMBOL(nla_strlcpy); 342 343 /** 344 * nla_strdup - Copy string attribute payload into a newly allocated buffer 345 * @nla: attribute to copy the string from 346 * @flags: the type of memory to allocate (see kmalloc). 347 * 348 * Returns a pointer to the allocated buffer or NULL on error. 349 */ 350 char *nla_strdup(const struct nlattr *nla, gfp_t flags) 351 { 352 size_t srclen = nla_len(nla); 353 char *src = nla_data(nla), *dst; 354 355 if (srclen > 0 && src[srclen - 1] == '\0') 356 srclen--; 357 358 dst = kmalloc(srclen + 1, flags); 359 if (dst != NULL) { 360 memcpy(dst, src, srclen); 361 dst[srclen] = '\0'; 362 } 363 return dst; 364 } 365 EXPORT_SYMBOL(nla_strdup); 366 367 /** 368 * nla_memcpy - Copy a netlink attribute into another memory area 369 * @dest: where to copy to memcpy 370 * @src: netlink attribute to copy from 371 * @count: size of the destination area 372 * 373 * Note: The number of bytes copied is limited by the length of 374 * attribute's payload. memcpy 375 * 376 * Returns the number of bytes copied. 377 */ 378 int nla_memcpy(void *dest, const struct nlattr *src, int count) 379 { 380 int minlen = min_t(int, count, nla_len(src)); 381 382 memcpy(dest, nla_data(src), minlen); 383 if (count > minlen) 384 memset(dest + minlen, 0, count - minlen); 385 386 return minlen; 387 } 388 EXPORT_SYMBOL(nla_memcpy); 389 390 /** 391 * nla_memcmp - Compare an attribute with sized memory area 392 * @nla: netlink attribute 393 * @data: memory area 394 * @size: size of memory area 395 */ 396 int nla_memcmp(const struct nlattr *nla, const void *data, 397 size_t size) 398 { 399 int d = nla_len(nla) - size; 400 401 if (d == 0) 402 d = memcmp(nla_data(nla), data, size); 403 404 return d; 405 } 406 EXPORT_SYMBOL(nla_memcmp); 407 408 /** 409 * nla_strcmp - Compare a string attribute against a string 410 * @nla: netlink string attribute 411 * @str: another string 412 */ 413 int nla_strcmp(const struct nlattr *nla, const char *str) 414 { 415 int len = strlen(str); 416 char *buf = nla_data(nla); 417 int attrlen = nla_len(nla); 418 int d; 419 420 if (attrlen > 0 && buf[attrlen - 1] == '\0') 421 attrlen--; 422 423 d = attrlen - len; 424 if (d == 0) 425 d = memcmp(nla_data(nla), str, len); 426 427 return d; 428 } 429 EXPORT_SYMBOL(nla_strcmp); 430 431 #ifdef CONFIG_NET 432 /** 433 * __nla_reserve - reserve room for attribute on the skb 434 * @skb: socket buffer to reserve room on 435 * @attrtype: attribute type 436 * @attrlen: length of attribute payload 437 * 438 * Adds a netlink attribute header to a socket buffer and reserves 439 * room for the payload but does not copy it. 440 * 441 * The caller is responsible to ensure that the skb provides enough 442 * tailroom for the attribute header and payload. 443 */ 444 struct nlattr *__nla_reserve(struct sk_buff *skb, int attrtype, int attrlen) 445 { 446 struct nlattr *nla; 447 448 nla = skb_put(skb, nla_total_size(attrlen)); 449 nla->nla_type = attrtype; 450 nla->nla_len = nla_attr_size(attrlen); 451 452 memset((unsigned char *) nla + nla->nla_len, 0, nla_padlen(attrlen)); 453 454 return nla; 455 } 456 EXPORT_SYMBOL(__nla_reserve); 457 458 /** 459 * __nla_reserve_64bit - reserve room for attribute on the skb and align it 460 * @skb: socket buffer to reserve room on 461 * @attrtype: attribute type 462 * @attrlen: length of attribute payload 463 * @padattr: attribute type for the padding 464 * 465 * Adds a netlink attribute header to a socket buffer and reserves 466 * room for the payload but does not copy it. It also ensure that this 467 * attribute will have a 64-bit aligned nla_data() area. 468 * 469 * The caller is responsible to ensure that the skb provides enough 470 * tailroom for the attribute header and payload. 471 */ 472 struct nlattr *__nla_reserve_64bit(struct sk_buff *skb, int attrtype, 473 int attrlen, int padattr) 474 { 475 if (nla_need_padding_for_64bit(skb)) 476 nla_align_64bit(skb, padattr); 477 478 return __nla_reserve(skb, attrtype, attrlen); 479 } 480 EXPORT_SYMBOL(__nla_reserve_64bit); 481 482 /** 483 * __nla_reserve_nohdr - reserve room for attribute without header 484 * @skb: socket buffer to reserve room on 485 * @attrlen: length of attribute payload 486 * 487 * Reserves room for attribute payload without a header. 488 * 489 * The caller is responsible to ensure that the skb provides enough 490 * tailroom for the payload. 491 */ 492 void *__nla_reserve_nohdr(struct sk_buff *skb, int attrlen) 493 { 494 return skb_put_zero(skb, NLA_ALIGN(attrlen)); 495 } 496 EXPORT_SYMBOL(__nla_reserve_nohdr); 497 498 /** 499 * nla_reserve - reserve room for attribute on the skb 500 * @skb: socket buffer to reserve room on 501 * @attrtype: attribute type 502 * @attrlen: length of attribute payload 503 * 504 * Adds a netlink attribute header to a socket buffer and reserves 505 * room for the payload but does not copy it. 506 * 507 * Returns NULL if the tailroom of the skb is insufficient to store 508 * the attribute header and payload. 509 */ 510 struct nlattr *nla_reserve(struct sk_buff *skb, int attrtype, int attrlen) 511 { 512 if (unlikely(skb_tailroom(skb) < nla_total_size(attrlen))) 513 return NULL; 514 515 return __nla_reserve(skb, attrtype, attrlen); 516 } 517 EXPORT_SYMBOL(nla_reserve); 518 519 /** 520 * nla_reserve_64bit - reserve room for attribute on the skb and align it 521 * @skb: socket buffer to reserve room on 522 * @attrtype: attribute type 523 * @attrlen: length of attribute payload 524 * @padattr: attribute type for the padding 525 * 526 * Adds a netlink attribute header to a socket buffer and reserves 527 * room for the payload but does not copy it. It also ensure that this 528 * attribute will have a 64-bit aligned nla_data() area. 529 * 530 * Returns NULL if the tailroom of the skb is insufficient to store 531 * the attribute header and payload. 532 */ 533 struct nlattr *nla_reserve_64bit(struct sk_buff *skb, int attrtype, int attrlen, 534 int padattr) 535 { 536 size_t len; 537 538 if (nla_need_padding_for_64bit(skb)) 539 len = nla_total_size_64bit(attrlen); 540 else 541 len = nla_total_size(attrlen); 542 if (unlikely(skb_tailroom(skb) < len)) 543 return NULL; 544 545 return __nla_reserve_64bit(skb, attrtype, attrlen, padattr); 546 } 547 EXPORT_SYMBOL(nla_reserve_64bit); 548 549 /** 550 * nla_reserve_nohdr - reserve room for attribute without header 551 * @skb: socket buffer to reserve room on 552 * @attrlen: length of attribute payload 553 * 554 * Reserves room for attribute payload without a header. 555 * 556 * Returns NULL if the tailroom of the skb is insufficient to store 557 * the attribute payload. 558 */ 559 void *nla_reserve_nohdr(struct sk_buff *skb, int attrlen) 560 { 561 if (unlikely(skb_tailroom(skb) < NLA_ALIGN(attrlen))) 562 return NULL; 563 564 return __nla_reserve_nohdr(skb, attrlen); 565 } 566 EXPORT_SYMBOL(nla_reserve_nohdr); 567 568 /** 569 * __nla_put - Add a netlink attribute to a socket buffer 570 * @skb: socket buffer to add attribute to 571 * @attrtype: attribute type 572 * @attrlen: length of attribute payload 573 * @data: head of attribute payload 574 * 575 * The caller is responsible to ensure that the skb provides enough 576 * tailroom for the attribute header and payload. 577 */ 578 void __nla_put(struct sk_buff *skb, int attrtype, int attrlen, 579 const void *data) 580 { 581 struct nlattr *nla; 582 583 nla = __nla_reserve(skb, attrtype, attrlen); 584 memcpy(nla_data(nla), data, attrlen); 585 } 586 EXPORT_SYMBOL(__nla_put); 587 588 /** 589 * __nla_put_64bit - Add a netlink attribute to a socket buffer and align it 590 * @skb: socket buffer to add attribute to 591 * @attrtype: attribute type 592 * @attrlen: length of attribute payload 593 * @data: head of attribute payload 594 * @padattr: attribute type for the padding 595 * 596 * The caller is responsible to ensure that the skb provides enough 597 * tailroom for the attribute header and payload. 598 */ 599 void __nla_put_64bit(struct sk_buff *skb, int attrtype, int attrlen, 600 const void *data, int padattr) 601 { 602 struct nlattr *nla; 603 604 nla = __nla_reserve_64bit(skb, attrtype, attrlen, padattr); 605 memcpy(nla_data(nla), data, attrlen); 606 } 607 EXPORT_SYMBOL(__nla_put_64bit); 608 609 /** 610 * __nla_put_nohdr - Add a netlink attribute without header 611 * @skb: socket buffer to add attribute to 612 * @attrlen: length of attribute payload 613 * @data: head of attribute payload 614 * 615 * The caller is responsible to ensure that the skb provides enough 616 * tailroom for the attribute payload. 617 */ 618 void __nla_put_nohdr(struct sk_buff *skb, int attrlen, const void *data) 619 { 620 void *start; 621 622 start = __nla_reserve_nohdr(skb, attrlen); 623 memcpy(start, data, attrlen); 624 } 625 EXPORT_SYMBOL(__nla_put_nohdr); 626 627 /** 628 * nla_put - Add a netlink attribute to a socket buffer 629 * @skb: socket buffer to add attribute to 630 * @attrtype: attribute type 631 * @attrlen: length of attribute payload 632 * @data: head of attribute payload 633 * 634 * Returns -EMSGSIZE if the tailroom of the skb is insufficient to store 635 * the attribute header and payload. 636 */ 637 int nla_put(struct sk_buff *skb, int attrtype, int attrlen, const void *data) 638 { 639 if (unlikely(skb_tailroom(skb) < nla_total_size(attrlen))) 640 return -EMSGSIZE; 641 642 __nla_put(skb, attrtype, attrlen, data); 643 return 0; 644 } 645 EXPORT_SYMBOL(nla_put); 646 647 /** 648 * nla_put_64bit - Add a netlink attribute to a socket buffer and align it 649 * @skb: socket buffer to add attribute to 650 * @attrtype: attribute type 651 * @attrlen: length of attribute payload 652 * @data: head of attribute payload 653 * @padattr: attribute type for the padding 654 * 655 * Returns -EMSGSIZE if the tailroom of the skb is insufficient to store 656 * the attribute header and payload. 657 */ 658 int nla_put_64bit(struct sk_buff *skb, int attrtype, int attrlen, 659 const void *data, int padattr) 660 { 661 size_t len; 662 663 if (nla_need_padding_for_64bit(skb)) 664 len = nla_total_size_64bit(attrlen); 665 else 666 len = nla_total_size(attrlen); 667 if (unlikely(skb_tailroom(skb) < len)) 668 return -EMSGSIZE; 669 670 __nla_put_64bit(skb, attrtype, attrlen, data, padattr); 671 return 0; 672 } 673 EXPORT_SYMBOL(nla_put_64bit); 674 675 /** 676 * nla_put_nohdr - Add a netlink attribute without header 677 * @skb: socket buffer to add attribute to 678 * @attrlen: length of attribute payload 679 * @data: head of attribute payload 680 * 681 * Returns -EMSGSIZE if the tailroom of the skb is insufficient to store 682 * the attribute payload. 683 */ 684 int nla_put_nohdr(struct sk_buff *skb, int attrlen, const void *data) 685 { 686 if (unlikely(skb_tailroom(skb) < NLA_ALIGN(attrlen))) 687 return -EMSGSIZE; 688 689 __nla_put_nohdr(skb, attrlen, data); 690 return 0; 691 } 692 EXPORT_SYMBOL(nla_put_nohdr); 693 694 /** 695 * nla_append - Add a netlink attribute without header or padding 696 * @skb: socket buffer to add attribute to 697 * @attrlen: length of attribute payload 698 * @data: head of attribute payload 699 * 700 * Returns -EMSGSIZE if the tailroom of the skb is insufficient to store 701 * the attribute payload. 702 */ 703 int nla_append(struct sk_buff *skb, int attrlen, const void *data) 704 { 705 if (unlikely(skb_tailroom(skb) < NLA_ALIGN(attrlen))) 706 return -EMSGSIZE; 707 708 skb_put_data(skb, data, attrlen); 709 return 0; 710 } 711 EXPORT_SYMBOL(nla_append); 712 #endif 713