-Wflex-array-member-not-at-end was introduced in GCC-14, and we are getting ready to enable it, globally.
struct compat_xt_standard_target and struct compat_xt_error_target are only used in xt_compat_check_entry_offsets(). Remove these structs and instead define the same memory layout on the stack via flexible struct compat_xt_entry_target and DEFINE_RAW_FLEX(). Adjust the rest of the code accordingly. With these changes, fix the following warnings: 1 net/netfilter/x_tables.c:816:39: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end] 1 net/netfilter/x_tables.c:811:39: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end] Signed-off-by: Gustavo A. R. Silva <[email protected]> --- Changes in v2: - Update verdict after (compat_uint_t *)st->data; v1: - Link: https://lore.kernel.org/linux-hardening/adbIKC0cZcK7VcCF@kspp/ net/netfilter/x_tables.c | 31 ++++++++++++++----------------- 1 file changed, 14 insertions(+), 17 deletions(-) diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index b39017c80548..746012196d83 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c @@ -817,17 +817,6 @@ int xt_compat_match_to_user(const struct xt_entry_match *m, } EXPORT_SYMBOL_GPL(xt_compat_match_to_user); -/* non-compat version may have padding after verdict */ -struct compat_xt_standard_target { - struct compat_xt_entry_target t; - compat_uint_t verdict; -}; - -struct compat_xt_error_target { - struct compat_xt_entry_target t; - char errorname[XT_FUNCTION_MAXNAMELEN]; -}; - int xt_compat_check_entry_offsets(const void *base, const char *elems, unsigned int target_offset, unsigned int next_offset) @@ -850,18 +839,26 @@ int xt_compat_check_entry_offsets(const void *base, const char *elems, return -EINVAL; if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0) { - const struct compat_xt_standard_target *st = (const void *)t; + DEFINE_RAW_FLEX(const struct compat_xt_entry_target, st, data, + sizeof(compat_uint_t)); + compat_uint_t *verdict; - if (COMPAT_XT_ALIGN(target_offset + sizeof(*st)) != next_offset) + st = (const void *)t; + verdict = (compat_uint_t *)st->data; + + if (COMPAT_XT_ALIGN(target_offset + __struct_size(st)) != + next_offset) return -EINVAL; - if (!verdict_ok(st->verdict)) + if (!verdict_ok(*verdict)) return -EINVAL; } else if (strcmp(t->u.user.name, XT_ERROR_TARGET) == 0) { - const struct compat_xt_error_target *et = (const void *)t; + DEFINE_RAW_FLEX(const struct compat_xt_entry_target, et, data, + XT_FUNCTION_MAXNAMELEN); + et = (const void *)t; - if (!error_tg_ok(t->u.target_size, sizeof(*et), - et->errorname, sizeof(et->errorname))) + if (!error_tg_ok(t->u.target_size, __struct_size(et), + et->data, __member_size(et->data))) return -EINVAL; } -- 2.43.0
