[PATCH 01/14] netfilter: nft_dynset: fix panic if NFT_SET_HASH is not enabled

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 01/14] netfilter: nft_dynset: fix panic if NFT_SET_HASH is not enabled
Date: Thu, 10 Nov 2016 01:23:34 +0100	[thread overview]
Message-ID: <1478737427-1574-2-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1478737427-1574-1-git-send-email-pablo@netfilter.org>

From: Liping Zhang <zlpnobody@gmail.com>

When CONFIG_NFT_SET_HASH is not enabled and I input the following rule:
"nft add rule filter output flow table test {ip daddr counter }", kernel
panic happened on my system:
 BUG: unable to handle kernel NULL pointer dereference at (null)
 IP: [<          (null)>]           (null)
 [...]
 Call Trace:
 [<ffffffffa0590466>] ? nft_dynset_eval+0x56/0x100 [nf_tables]
 [<ffffffffa05851bb>] nft_do_chain+0xfb/0x4e0 [nf_tables]
 [<ffffffffa0432f01>] ? nf_conntrack_tuple_taken+0x61/0x210 [nf_conntrack]
 [<ffffffffa0459ea6>] ? get_unique_tuple+0x136/0x560 [nf_nat]
 [<ffffffffa043bca1>] ? __nf_ct_ext_add_length+0x111/0x130 [nf_conntrack]
 [<ffffffffa045a357>] ? nf_nat_setup_info+0x87/0x3b0 [nf_nat]
 [<ffffffff81761e27>] ? ipt_do_table+0x327/0x610
 [<ffffffffa045a6d7>] ? __nf_nat_alloc_null_binding+0x57/0x80 [nf_nat]
 [<ffffffffa059f21f>] nft_ipv4_output+0xaf/0xd0 [nf_tables_ipv4]
 [<ffffffff81702515>] nf_iterate+0x55/0x60
 [<ffffffff81702593>] nf_hook_slow+0x73/0xd0

Because in rbtree type set, ops->update is not implemented. So just keep
it simple, in such case, report -EOPNOTSUPP to the user space.

Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set updates")
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nft_dynset.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
index 517f08767a3c..bfdb689664b0 100644
--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -139,6 +139,9 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
 			return PTR_ERR(set);
 	}

+	if (set->ops->update == NULL)
+		return -EOPNOTSUPP;
+
 	if (set->flags & NFT_SET_CONSTANT)
 		return -EBUSY;

-- 
2.1.4

next prev parent reply	other threads:[~2016-11-10  0:23 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-11-10  0:23 [PATCH 00/14] Netfilter fixes for net Pablo Neira Ayuso
2016-11-10  0:23 ` Pablo Neira Ayuso [this message]
2016-11-10  0:23 ` [PATCH 02/14] netfilter: nf_tables: fix *leak* when expr clone fail Pablo Neira Ayuso
2016-11-10  0:23 ` [PATCH 03/14] netfilter: nf_tables: fix race when create new element in dynset Pablo Neira Ayuso
2016-11-10  0:23 ` [PATCH 04/14] netfilter: nf_conntrack_sip: extend request line validation Pablo Neira Ayuso
2016-11-10  0:23 ` [PATCH 05/14] netfilter: nf_tables: fix type mismatch with error return from nft_parse_u32_check Pablo Neira Ayuso
2016-11-10  0:23 ` [PATCH 06/14] netfilter: conntrack: avoid excess memory allocation Pablo Neira Ayuso
2016-11-10  0:23 ` [PATCH 07/14] netfilter: ip_vs_sync: fix bogus maybe-uninitialized warning Pablo Neira Ayuso
2016-11-10  0:23 ` [PATCH 08/14] netfilter: nf_tables: destroy the set if fail to add transaction Pablo Neira Ayuso
2016-11-10  0:23 ` [PATCH 09/14] netfilter: nft_dup: do not use sreg_dev if the user doesn't specify it Pablo Neira Ayuso
2016-11-10  0:23 ` [PATCH 10/14] ipvs: use IPVS_CMD_ATTR_MAX for family.maxattr Pablo Neira Ayuso
2016-11-10  0:23 ` [PATCH 11/14] netfilter: connmark: ignore skbs with magic untracked conntrack objects Pablo Neira Ayuso
2016-11-10  0:23 ` [PATCH 12/14] netfilter: conntrack: fix CT target for UNSPEC helpers Pablo Neira Ayuso
2016-11-10  0:23 ` [PATCH 13/14] netfilter: conntrack: refine gc worker heuristics Pablo Neira Ayuso
2016-11-10  0:23 ` [PATCH 14/14] netfilter: nf_tables: fix oops when inserting an element into a verdict map Pablo Neira Ayuso
2016-11-10  1:38 ` [PATCH 00/14] Netfilter fixes for net David Miller

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:517f08767a3 dfblob:bfdb689664b )
 OR (
bs:"[PATCH 01/14] netfilter: nft_dynset: fix panic if NFT_SET_HASH is not enabled" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1478737427-1574-2-git-send-email-pablo@netfilter.org \
    --to=pablo@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).