* [PATCH libnftnl 0/2] object: fix crashes with out-of-tree nft @ 2017-02-27 14:56 Florian Westphal 2017-02-27 14:56 ` [PATCH libnftnl 1/2] object: don't set NFTNL_OBJ_TYPE unless obj->ops is non-null Florian Westphal 2017-02-27 14:56 ` [PATCH libnftnl 2/2] object: fix crash when object ops is null Florian Westphal 0 siblings, 2 replies; 5+ messages in thread From: Florian Westphal @ 2017-02-27 14:56 UTC (permalink / raw) To: netfilter-devel While working on ct helper object support I encountered crashes in libnftnl. This occurs when nft sets unknown object types not supported by libnftnl. The two patches avoid segfaults in case unsupported types are requested. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH libnftnl 1/2] object: don't set NFTNL_OBJ_TYPE unless obj->ops is non-null 2017-02-27 14:56 [PATCH libnftnl 0/2] object: fix crashes with out-of-tree nft Florian Westphal @ 2017-02-27 14:56 ` Florian Westphal 2017-02-27 15:59 ` Pablo Neira Ayuso 2017-02-27 14:56 ` [PATCH libnftnl 2/2] object: fix crash when object ops is null Florian Westphal 1 sibling, 1 reply; 5+ messages in thread From: Florian Westphal @ 2017-02-27 14:56 UTC (permalink / raw) To: netfilter-devel; +Cc: Florian Westphal If nft sets an invalid type, nftnl_obj_ops_lookup will return NULL. In this case we must not set NFTNL_OBJ_TYPE flag, else we later get crash in nftnl_obj_nlmsg_build_payload as it dereferences obj->ops. Signed-off-by: Florian Westphal <fw@strlen.de> --- src/object.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/object.c b/src/object.c index 9594d2f99071..62fa48afa2a1 100644 --- a/src/object.c +++ b/src/object.c @@ -83,6 +83,8 @@ void nftnl_obj_set_data(struct nftnl_obj *obj, uint16_t attr, break; case NFTNL_OBJ_TYPE: obj->ops = nftnl_obj_ops_lookup(*((uint32_t *)data)); + if (!obj->ops) + return; break; case NFTNL_OBJ_FAMILY: obj->family = *((uint32_t *)data); @@ -250,7 +252,8 @@ int nftnl_obj_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_obj *obj) uint32_t type = ntohl(mnl_attr_get_u32(tb[NFTA_OBJ_TYPE])); obj->ops = nftnl_obj_ops_lookup(type); - obj->flags |= (1 << NFTNL_OBJ_TYPE); + if (obj->ops) + obj->flags |= (1 << NFTNL_OBJ_TYPE); } if (tb[NFTA_OBJ_DATA]) { if (obj->ops) { -- 2.10.2 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH libnftnl 1/2] object: don't set NFTNL_OBJ_TYPE unless obj->ops is non-null 2017-02-27 14:56 ` [PATCH libnftnl 1/2] object: don't set NFTNL_OBJ_TYPE unless obj->ops is non-null Florian Westphal @ 2017-02-27 15:59 ` Pablo Neira Ayuso 0 siblings, 0 replies; 5+ messages in thread From: Pablo Neira Ayuso @ 2017-02-27 15:59 UTC (permalink / raw) To: Florian Westphal; +Cc: netfilter-devel On Mon, Feb 27, 2017 at 03:56:09PM +0100, Florian Westphal wrote: > If nft sets an invalid type, nftnl_obj_ops_lookup will return NULL. > In this case we must not set NFTNL_OBJ_TYPE flag, else we later get > crash in nftnl_obj_nlmsg_build_payload as it dereferences obj->ops. > > Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH libnftnl 2/2] object: fix crash when object ops is null 2017-02-27 14:56 [PATCH libnftnl 0/2] object: fix crashes with out-of-tree nft Florian Westphal 2017-02-27 14:56 ` [PATCH libnftnl 1/2] object: don't set NFTNL_OBJ_TYPE unless obj->ops is non-null Florian Westphal @ 2017-02-27 14:56 ` Florian Westphal 2017-02-27 15:44 ` Pablo Neira Ayuso 1 sibling, 1 reply; 5+ messages in thread From: Florian Westphal @ 2017-02-27 14:56 UTC (permalink / raw) To: netfilter-devel; +Cc: Florian Westphal when debugging nft with invalid object type (during development), this will crash here with null deref. Print (unknown) instead if obj->ops is null. Signed-off-by: Florian Westphal <fw@strlen.de> --- src/object.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/object.c b/src/object.c index 62fa48afa2a1..773eff6a5a18 100644 --- a/src/object.c +++ b/src/object.c @@ -396,10 +396,11 @@ static int nftnl_obj_snprintf_dflt(char *buf, size_t size, const struct nftnl_obj *obj, uint32_t type, uint32_t flags) { + const char *name = obj->ops ? obj->ops->name : "(unknown)"; int ret, len = size, offset = 0; ret = snprintf(buf, size, "table %s name %s use %u [ %s ", - obj->table, obj->name, obj->use, obj->ops->name); + obj->table, obj->name, obj->use, name); SNPRINTF_BUFFER_SIZE(ret, size, len, offset); if (obj->ops) { -- 2.10.2 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH libnftnl 2/2] object: fix crash when object ops is null 2017-02-27 14:56 ` [PATCH libnftnl 2/2] object: fix crash when object ops is null Florian Westphal @ 2017-02-27 15:44 ` Pablo Neira Ayuso 0 siblings, 0 replies; 5+ messages in thread From: Pablo Neira Ayuso @ 2017-02-27 15:44 UTC (permalink / raw) To: Florian Westphal; +Cc: netfilter-devel On Mon, Feb 27, 2017 at 03:56:10PM +0100, Florian Westphal wrote: > when debugging nft with invalid object type (during development), > this will crash here with null deref. Print (unknown) instead > if obj->ops is null. > > Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> Thanks Florian. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-02-27 16:09 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-02-27 14:56 [PATCH libnftnl 0/2] object: fix crashes with out-of-tree nft Florian Westphal 2017-02-27 14:56 ` [PATCH libnftnl 1/2] object: don't set NFTNL_OBJ_TYPE unless obj->ops is non-null Florian Westphal 2017-02-27 15:59 ` Pablo Neira Ayuso 2017-02-27 14:56 ` [PATCH libnftnl 2/2] object: fix crash when object ops is null Florian Westphal 2017-02-27 15:44 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).