From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: netfilter-devel@vger.kernel.org, kaber@trash.net, technoboy85@gmail.com
Subject: Re: [PATCH] netfilter: nf_tables: don't update chain with unset counters
Date: Tue, 5 Aug 2014 18:32:46 +0200 [thread overview]
Message-ID: <20140805163246.GA4372@salvia> (raw)
In-Reply-To: <1407254831.3178.90.camel@edumazet-glaptop2.roam.corp.google.com>
On Tue, Aug 05, 2014 at 06:07:11PM +0200, Eric Dumazet wrote:
> On Tue, 2014-08-05 at 17:30 +0200, Pablo Neira Ayuso wrote:
> > Fix possible replacemen of the per-cpu chain counters by null
> > pointer when updating an existing chain in the commit path.
> >
> > Reported-by: Matteo Croce <technoboy85@gmail.com>
> > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> > ---
> > net/netfilter/nf_tables_api.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> > index f95dc95..f7dce2b 100644
> > --- a/net/netfilter/nf_tables_api.c
> > +++ b/net/netfilter/nf_tables_api.c
> > @@ -899,6 +899,9 @@ static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
> > static void nft_chain_stats_replace(struct nft_base_chain *chain,
> > struct nft_stats __percpu *newstats)
> > {
> > + if (newstats == NULL)
> > + return;
> > +
> > if (chain->stats) {
> > struct nft_stats __percpu *oldstats =
> > nft_dereference(chain->stats);
>
> This looks strange. Real bug is that nft_dump_stats() should not try to
> fold percpu stats and output something if 'stats' is NULL ?
>
> Otherwise, why nft_chain_stats_replace() checks if previous pointer is
> NULL ?
Currently, we always allocate the per-cpu chain stats. The problem
occurs here:
static int nf_tables_newchain(struct sock *nlsk, ...
...
if (chain != NULL) {
struct nft_stats *stats = NULL;
...
if (nla[NFTA_CHAIN_COUNTERS]) {
...
}
...
nft_trans_chain_stats(trans) = stats;
Then, in the nf_tables_commit() path, this calls
nft_chain_commit_update() which sets the per-chain stats to NULL,
which is bad.
The idea is that, if no chain stats are passed when updating the
chain, this means: "please, leave the chain counter as is in this
update".
This bug slipped through with the transaction infrastructure.
prev parent reply other threads:[~2014-08-05 16:32 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-05 15:30 [PATCH] netfilter: nf_tables: don't update chain with unset counters Pablo Neira Ayuso
2014-08-05 16:07 ` Eric Dumazet
2014-08-05 16:32 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140805163246.GA4372@salvia \
--to=pablo@netfilter.org \
--cc=eric.dumazet@gmail.com \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=technoboy85@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.