From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pablo Neira Ayuso Subject: [PATCH -stable,4.3.y] netfilter: xt_TEE: fix NULL dereference Date: Mon, 16 Nov 2015 12:00:31 +0100 Message-ID: <1447671631-2117-2-git-send-email-pablo@netfilter.org> References: <1447671631-2117-1-git-send-email-pablo@netfilter.org> Cc: stable@vger.kernel.org, Eric Dumazet To: netfilter-devel@vger.kernel.org Return-path: Received: from mail.us.es ([193.147.175.20]:56961 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752163AbbKPLAr (ORCPT ); Mon, 16 Nov 2015 06:00:47 -0500 Received: from antivirus1-rhel7.int (antivirus1.int [192.168.2.11]) by mail.us.es (Postfix) with ESMTP id A9FFD153AD1 for ; Mon, 16 Nov 2015 12:00:46 +0100 (CET) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id 869B74EDBD for ; Mon, 16 Nov 2015 12:00:46 +0100 (CET) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id E242F52116 for ; Mon, 16 Nov 2015 12:00:38 +0100 (CET) In-Reply-To: <1447671631-2117-1-git-send-email-pablo@netfilter.org> Sender: netfilter-devel-owner@vger.kernel.org List-ID: From: Eric Dumazet [ upstream commit 45efccdbec3cd465c4776ed9ca1d7b1bba1b7e34 ] iptables -I INPUT ... -j TEE --gateway 10.1.2.3 because --oif was not specified tee_tg_check() sets ->priv pointer to NULL in this case. Fixes: bbde9fc1824a ("netfilter: factor out packet duplication for IPv4/IPv6") Cc: # 4.3.x Signed-off-by: Eric Dumazet Signed-off-by: Pablo Neira Ayuso --- net/netfilter/xt_TEE.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/netfilter/xt_TEE.c b/net/netfilter/xt_TEE.c index fd980aa..c5fdea1 100644 --- a/net/netfilter/xt_TEE.c +++ b/net/netfilter/xt_TEE.c @@ -31,8 +31,9 @@ static unsigned int tee_tg4(struct sk_buff *skb, const struct xt_action_param *par) { const struct xt_tee_tginfo *info = par->targinfo; + int oif = info->priv ? info->priv->oif : 0; - nf_dup_ipv4(skb, par->hooknum, &info->gw.in, info->priv->oif); + nf_dup_ipv4(skb, par->hooknum, &info->gw.in, oif); return XT_CONTINUE; } @@ -42,8 +43,9 @@ static unsigned int tee_tg6(struct sk_buff *skb, const struct xt_action_param *par) { const struct xt_tee_tginfo *info = par->targinfo; + int oif = info->priv ? info->priv->oif : 0; - nf_dup_ipv6(skb, par->hooknum, &info->gw.in6, info->priv->oif); + nf_dup_ipv6(skb, par->hooknum, &info->gw.in6, oif); return XT_CONTINUE; } -- 2.1.4