[libvirt PATCH 19/28] util: check for 0 args when applying iptables rule

Laine Stump posted 28 patches 1 year, 1 month ago
There is a newer version of this series
[libvirt PATCH 19/28] util: check for 0 args when applying iptables rule
Posted by Laine Stump 1 year, 1 month ago
In normal practice a firewall rule should never have 0 args by the
time it gets to the Apply stage, but at some time while debugging
auto-rollback exactly that happened (due to a bug that was since
squashed), and having a check for it helped debugging, so let's
permanently check for it (the nftables version of ApplyRule already
has this check).

Signed-off-by: Laine Stump <laine@redhat.com>
---
 src/util/viriptables.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index 96b69daf68..4e3188e4d1 100644
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -71,10 +71,11 @@ virIptablesApplyFirewallRule(virFirewall *firewall G_GNUC_UNUSED,
 {
     virFirewallLayer layer = virFirewallRuleGetLayer(rule);
     const char *bin = virIptablesLayerCommandTypeToString(layer);
+    size_t count = virFirewallRuleGetArgCount(rule);
     g_autoptr(virCommand) cmd = NULL;
     g_autofree char *cmdStr = NULL;
     g_autofree char *error = NULL;
-    size_t i, count;
+    size_t i;
     int status;
 
     if (!bin) {
@@ -83,6 +84,12 @@ virIptablesApplyFirewallRule(virFirewall *firewall G_GNUC_UNUSED,
         return -1;
     }
 
+    if (count == 0) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                       _("Can't apply empty firewall rule"));
+        return -1;
+    }
+
     cmd = virCommandNewArgList(bin, NULL);
 
     /* lock to assure nobody else is messing with the tables while we are */
@@ -98,7 +105,6 @@ virIptablesApplyFirewallRule(virFirewall *firewall G_GNUC_UNUSED,
         break;
     }
 
-    count = virFirewallRuleGetArgCount(rule);
     for (i = 0; i < count; i++)
         virCommandAddArg(cmd, virFirewallRuleGetArg(rule, i));
 
-- 
2.39.2
Re: [libvirt PATCH 19/28] util: check for 0 args when applying iptables rule
Posted by Daniel P. Berrangé 1 year, 1 month ago
On Sun, Apr 30, 2023 at 11:19:34PM -0400, Laine Stump wrote:
> In normal practice a firewall rule should never have 0 args by the
> time it gets to the Apply stage, but at some time while debugging
> auto-rollback exactly that happened (due to a bug that was since
> squashed), and having a check for it helped debugging, so let's
> permanently check for it (the nftables version of ApplyRule already
> has this check).
> 
> Signed-off-by: Laine Stump <laine@redhat.com>
> ---
>  src/util/viriptables.c | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|