* [PATCH nft] cache: check for NULL chain in cache_init()
@ 2021-04-01 21:21 Pablo Neira Ayuso
0 siblings, 0 replies; only message in thread
From: Pablo Neira Ayuso @ 2021-04-01 21:21 UTC (permalink / raw)
To: netfilter-devel
Another process might race to add chains after chain_cache_init().
The generation check does not help since it comes after cache_init().
NLM_F_DUMP_INTR only guarantees consistency within one single netlink
dump operation, so it does not help either (cache population requires
several netlink dump commands).
Let's be safe and do not assume the chain exists in the cache when
populating the rule cache.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/cache.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/cache.c b/src/cache.c
index f7187ee7237f..5c21b8958a28 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -338,6 +338,9 @@ static int cache_init_objects(struct netlink_ctx *ctx, unsigned int flags)
if (!chain)
chain = chain_binding_lookup(table,
rule->handle.chain.name);
+ if (!chain)
+ goto cache_fails;
+
list_move_tail(&rule->list, &chain->rules);
}
if (ret < 0) {
--
2.20.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2021-04-01 21:21 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-04-01 21:21 [PATCH nft] cache: check for NULL chain in cache_init() Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).