* [PATCH nf-next 0/2] fixes for recent nf_compact hooks
@ 2016-09-26 16:24 Aaron Conole
2016-09-26 16:24 ` [PATCH nf-next 1/2] netfilter: Fix potential null pointer dereference Aaron Conole
2016-09-26 16:24 ` [PATCH nf-next 2/2] nf_set_hooks_head: acommodate different kconfig Aaron Conole
0 siblings, 2 replies; 5+ messages in thread
From: Aaron Conole @ 2016-09-26 16:24 UTC (permalink / raw)
To: netfilter-devel, netdev; +Cc: Florian Westphal, Pablo Neira Ayuso
Two possible error conditions were caught during an extended testing
session, and by a build robot. These patches fix the two issues (a
missing handler when config is changed, and a potential NULL
dereference).
Aaron Conole (2):
netfilter: Fix potential null pointer dereference
nf_set_hooks_head: acommodate different kconfig
net/netfilter/core.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--
2.5.5
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH nf-next 1/2] netfilter: Fix potential null pointer dereference
2016-09-26 16:24 [PATCH nf-next 0/2] fixes for recent nf_compact hooks Aaron Conole
@ 2016-09-26 16:24 ` Aaron Conole
2016-09-26 16:24 ` [PATCH nf-next 2/2] nf_set_hooks_head: acommodate different kconfig Aaron Conole
1 sibling, 0 replies; 5+ messages in thread
From: Aaron Conole @ 2016-09-26 16:24 UTC (permalink / raw)
To: netfilter-devel, netdev; +Cc: Florian Westphal, Pablo Neira Ayuso
It's possible for nf_hook_entry_head to return NULL if two
nf_unregister_net_hook calls happen simultaneously with a single hook
entry in the list. This fix ensures that no null pointer dereference
could occur when such a race happens.
Signed-off-by: Aaron Conole <aconole@bytheb.org>
---
net/netfilter/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 360c63d..e58e420 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -160,7 +160,7 @@ void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *reg)
mutex_lock(&nf_hook_mutex);
hooks_entry = nf_hook_entry_head(net, reg);
- if (hooks_entry->orig_ops == reg) {
+ if (hooks_entry && hooks_entry->orig_ops == reg) {
nf_set_hooks_head(net, reg,
nf_entry_dereference(hooks_entry->next));
goto unlock;
--
2.5.5
^ permalink raw reply related [flat|nested] 5+ messages in thread* [PATCH nf-next 2/2] nf_set_hooks_head: acommodate different kconfig
2016-09-26 16:24 [PATCH nf-next 0/2] fixes for recent nf_compact hooks Aaron Conole
2016-09-26 16:24 ` [PATCH nf-next 1/2] netfilter: Fix potential null pointer dereference Aaron Conole
@ 2016-09-26 16:24 ` Aaron Conole
2016-09-26 16:39 ` Florian Westphal
1 sibling, 1 reply; 5+ messages in thread
From: Aaron Conole @ 2016-09-26 16:24 UTC (permalink / raw)
To: netfilter-devel, netdev; +Cc: Florian Westphal, Pablo Neira Ayuso
When CONFIG_NETFILTER_INGRESS is unset (or no), we need to handle
the request for registration properly by dropping the hook. This
releases the entry during the set.
Signed-off-by: Aaron Conole <aconole@bytheb.org>
---
net/netfilter/core.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index e58e420..1d0a4c9 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -90,10 +90,14 @@ static void nf_set_hooks_head(struct net *net, const struct nf_hook_ops *reg,
{
switch (reg->pf) {
case NFPROTO_NETDEV:
+#ifdef CONFIG_NETFILTER_INGRESS
/* We already checked in nf_register_net_hook() that this is
* used from ingress.
*/
rcu_assign_pointer(reg->dev->nf_hooks_ingress, entry);
+#else
+ kfree(entry);
+#endif
break;
default:
rcu_assign_pointer(net->nf.hooks[reg->pf][reg->hooknum],
--
2.5.5
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH nf-next 2/2] nf_set_hooks_head: acommodate different kconfig
2016-09-26 16:24 ` [PATCH nf-next 2/2] nf_set_hooks_head: acommodate different kconfig Aaron Conole
@ 2016-09-26 16:39 ` Florian Westphal
2016-09-26 16:43 ` Aaron Conole
0 siblings, 1 reply; 5+ messages in thread
From: Florian Westphal @ 2016-09-26 16:39 UTC (permalink / raw)
To: Aaron Conole; +Cc: netfilter-devel, netdev, Florian Westphal, Pablo Neira Ayuso
Aaron Conole <aconole@bytheb.org> wrote:
> When CONFIG_NETFILTER_INGRESS is unset (or no), we need to handle
> the request for registration properly by dropping the hook. This
> releases the entry during the set.
>
> Signed-off-by: Aaron Conole <aconole@bytheb.org>
> ---
> net/netfilter/core.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/net/netfilter/core.c b/net/netfilter/core.c
> index e58e420..1d0a4c9 100644
> --- a/net/netfilter/core.c
> +++ b/net/netfilter/core.c
> @@ -90,10 +90,14 @@ static void nf_set_hooks_head(struct net *net, const struct nf_hook_ops *reg,
> {
> switch (reg->pf) {
> case NFPROTO_NETDEV:
> +#ifdef CONFIG_NETFILTER_INGRESS
> /* We already checked in nf_register_net_hook() that this is
> * used from ingress.
> */
> rcu_assign_pointer(reg->dev->nf_hooks_ingress, entry);
> +#else
> + kfree(entry);
> +#endif
> break;
This looks dodgy (its correct though).
I'd propose to add a test to nf_register_net_hook()
to bail with -EOPNOSTUPP instead of this "#else kfree()" if we get
NFPROTO_NETDEV pf with CONFIG_NETFILTER_INGRESS=n build instead.
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH nf-next 2/2] nf_set_hooks_head: acommodate different kconfig
2016-09-26 16:39 ` Florian Westphal
@ 2016-09-26 16:43 ` Aaron Conole
0 siblings, 0 replies; 5+ messages in thread
From: Aaron Conole @ 2016-09-26 16:43 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel, netdev, Pablo Neira Ayuso
Florian Westphal <fw@strlen.de> writes:
> Aaron Conole <aconole@bytheb.org> wrote:
>> When CONFIG_NETFILTER_INGRESS is unset (or no), we need to handle
>> the request for registration properly by dropping the hook. This
>> releases the entry during the set.
>>
>> Signed-off-by: Aaron Conole <aconole@bytheb.org>
>> ---
>> net/netfilter/core.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/net/netfilter/core.c b/net/netfilter/core.c
>> index e58e420..1d0a4c9 100644
>> --- a/net/netfilter/core.c
>> +++ b/net/netfilter/core.c
>> @@ -90,10 +90,14 @@ static void nf_set_hooks_head(struct net *net, const struct nf_hook_ops *reg,
>> {
>> switch (reg->pf) {
>> case NFPROTO_NETDEV:
>> +#ifdef CONFIG_NETFILTER_INGRESS
>> /* We already checked in nf_register_net_hook() that this is
>> * used from ingress.
>> */
>> rcu_assign_pointer(reg->dev->nf_hooks_ingress, entry);
>> +#else
>> + kfree(entry);
>> +#endif
>> break;
>
> This looks dodgy (its correct though).
>
> I'd propose to add a test to nf_register_net_hook()
> to bail with -EOPNOSTUPP instead of this "#else kfree()" if we get
> NFPROTO_NETDEV pf with CONFIG_NETFILTER_INGRESS=n build instead.
Okay, I'll spin a new version.
Thanks for the review, Florian!
-Aaron
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-09-26 16:43 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-09-26 16:24 [PATCH nf-next 0/2] fixes for recent nf_compact hooks Aaron Conole
2016-09-26 16:24 ` [PATCH nf-next 1/2] netfilter: Fix potential null pointer dereference Aaron Conole
2016-09-26 16:24 ` [PATCH nf-next 2/2] nf_set_hooks_head: acommodate different kconfig Aaron Conole
2016-09-26 16:39 ` Florian Westphal
2016-09-26 16:43 ` Aaron Conole
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).