From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [nft PATCH v2 2/4] netlink_delinearize: Avoid potential null pointer deref
Date: Tue, 6 Sep 2016 16:17:30 +0200 [thread overview]
Message-ID: <20160906141730.GI29816@orbyte.nwl.cc> (raw)
In-Reply-To: <20160905165243.GA17099@salvia>
Hi,
On Mon, Sep 05, 2016 at 06:52:43PM +0200, Pablo Neira Ayuso wrote:
> On Tue, Aug 30, 2016 at 07:39:50PM +0200, Phil Sutter wrote:
> > As netlink_get_register() may return NULL, we must not pass the returned
> > data unchecked to expr_set_type() as that will dereference it. Since the
> > parser has failed at that point anyway, by returning early we can skip
> > the useless statement allocation that follows in
> > netlink_parse_ct_stmt().
>
> I found a couple more spots, such as the payload stmt that was not
> covered by this patch.
OK. The reason I left those out was that they don't call expr_set_type()
and therefore the potential NULL pointer dereference doesn't happen
there.
> Attaching a new one based on this, looks good to you?
Acked-by: Phil Sutter <phil@nwl.cc>
> Anyway, this is very unlikely to happen: Only if we ever get more
> registers in the kernel, given that expl_clone() relies on the
> xzalloc() function that just stops execution under OOM.
Yes. The thing with Covscan is it will find very theoretical issues and
practical relevance is usually questionable (as they would likely have
been found already).
> Actually this brings an interesting issue that is that we need to
> provide a way to describe the vm capabilities so we can extend things
> in the future without breaking userspace.
Not my cup of tea luckily. :)
Thanks, Phil
next prev parent reply other threads:[~2016-09-06 14:17 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-30 17:39 [nft PATCH v2 0/4] A round of covscan indicated fixes Phil Sutter
2016-08-30 17:39 ` [nft PATCH v2 1/4] evaluate: Fix datalen checks in expr_evaluate_string() Phil Sutter
2016-09-05 16:37 ` Pablo Neira Ayuso
2016-08-30 17:39 ` [nft PATCH v2 2/4] netlink_delinearize: Avoid potential null pointer deref Phil Sutter
2016-09-05 16:52 ` Pablo Neira Ayuso
2016-09-06 14:17 ` Phil Sutter [this message]
2016-08-30 17:39 ` [nft PATCH v2 3/4] stmt_evaluate_reset: Have a generic fix for missing network context Phil Sutter
2016-09-05 16:53 ` Pablo Neira Ayuso
2016-08-30 17:39 ` [nft PATCH v2 4/4] evaluate: Avoid undefined behaviour in concat_subtype_id() Phil Sutter
2016-09-05 17:09 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160906141730.GI29816@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).