[PATCH 05/14] netfilter: nf_tables: fix possible oops when dumping stateful objects

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 05/14] netfilter: nf_tables: fix possible oops when dumping stateful objects
Date: Thu, 26 Jan 2017 17:37:58 +0100	[thread overview]
Message-ID: <1485448687-6072-6-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1485448687-6072-1-git-send-email-pablo@netfilter.org>

From: Liping Zhang <zlpnobody@gmail.com>

When dumping nft stateful objects, if NFTA_OBJ_TABLE and NFTA_OBJ_TYPE
attributes are not specified either, filter will become NULL, so oops
will happen(actually nft utility will always set NFTA_OBJ_TABLE attr,
so I write a test program to make this happen):

  BUG: unable to handle kernel NULL pointer dereference at (null)
  IP: nf_tables_dump_obj+0x17c/0x330 [nf_tables]
  [...]
  Call Trace:
  ? nf_tables_dump_obj+0x5/0x330 [nf_tables]
  ? __kmalloc_reserve.isra.35+0x31/0x90
  ? __alloc_skb+0x5b/0x1e0
  netlink_dump+0x124/0x2a0
  __netlink_dump_start+0x161/0x190
  nf_tables_getobj+0xe8/0x280 [nf_tables]

Fixes: a9fea2a3c3cf ("netfilter: nf_tables: allow to filter stateful object dumps by type")
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_tables_api.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 0db5f9782265..091d2dcc63b2 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4262,10 +4262,11 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
 				if (idx > s_idx)
 					memset(&cb->args[1], 0,
 					       sizeof(cb->args) - sizeof(cb->args[0]));
-				if (filter->table[0] &&
+				if (filter && filter->table[0] &&
 				    strcmp(filter->table, table->name))
 					goto cont;
-				if (filter->type != NFT_OBJECT_UNSPEC &&
+				if (filter &&
+				    filter->type != NFT_OBJECT_UNSPEC &&
 				    obj->type->type != filter->type)
 					goto cont;
 
-- 
2.1.4

next prev parent reply	other threads:[~2017-01-26 16:37 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-01-26 16:37 [PATCH 00/14] Netfilter fixes for net Pablo Neira Ayuso
2017-01-26 16:37 ` [PATCH 01/14] netfilter: use fwmark_reflect in nf_send_reset Pablo Neira Ayuso
2017-01-26 16:37 ` [PATCH 02/14] tcp: fix mark propagation with fwmark_reflect enabled Pablo Neira Ayuso
2017-01-26 18:02   ` Eric Dumazet
2017-01-26 19:19     ` Pablo Neira Ayuso
2017-01-26 19:28       ` Eric Dumazet
2017-01-26 16:37 ` [PATCH 03/14] netfilter: nf_tables: fix spelling mistakes Pablo Neira Ayuso
2017-01-26 16:37 ` [PATCH 04/14] netfilter: rpfilter: fix incorrect loopback packet judgment Pablo Neira Ayuso
2017-01-26 16:37 ` Pablo Neira Ayuso [this message]
2017-01-26 16:37 ` [PATCH 06/14] netfilter: Fix typo in NF_CONNTRACK Kconfig option description Pablo Neira Ayuso
2017-01-26 16:38 ` [PATCH 07/14] netfilter: ipt_CLUSTERIP: fix build error without procfs Pablo Neira Ayuso
2017-01-26 16:38 ` [PATCH 08/14] netfilter: conntrack: remove GC_MAX_EVICTS break Pablo Neira Ayuso
2017-01-26 16:38 ` [PATCH 09/14] netfilter: conntrack: refine gc worker heuristics, redux Pablo Neira Ayuso
2017-01-27 16:51   ` Nicolas Dichtel
2017-03-01 15:02     ` Nicolas Dichtel
2017-03-01 15:38       ` Pablo Neira Ayuso
2017-01-26 16:38 ` [PATCH 10/14] netfilter: nf_tables: validate the name size when possible Pablo Neira Ayuso
2017-01-26 16:38 ` [PATCH 11/14] netfilter: nft_log: restrict the log prefix length to 127 Pablo Neira Ayuso
2017-01-26 16:38 ` [PATCH 12/14] netfilter: nf_tables: fix set->nelems counting with no NLM_F_EXCL Pablo Neira Ayuso
2017-01-26 16:38 ` [PATCH 13/14] netfilter: nf_tables: deconstify walk callback function Pablo Neira Ayuso
2017-01-26 16:38 ` [PATCH 14/14] netfilter: nf_tables: bump set->ndeact on set flush Pablo Neira Ayuso
2017-01-26 17:59 ` [PATCH 00/14] Netfilter fixes for net David Miller

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:0db5f978226 dfblob:091d2dcc63b )
 OR (
bs:"[PATCH 05/14] netfilter: nf_tables: fix possible oops when dumping stateful objects" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1485448687-6072-6-git-send-email-pablo@netfilter.org \
    --to=pablo@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).