From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail.netfilter.org (mail.netfilter.org [217.70.188.207]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 1604D4C7C; Thu, 27 Jun 2024 00:41:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.188.207 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719448884; cv=none; b=rqYssrce84S9Jue8PhGJV0ZhMsgDW5hmqp4K8o54+6LazLChx35ERQk+hIS+4QAMb4WqhAMGY9BVd7EcbcdMyDSNAWljRg8Gc/QEsktysIYWx/VvWnQarNIbkQ0UtuNz0XcPivDaK/Z9mbAubwO4QPflATzn8KDKpg4S+x4amJ4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719448884; c=relaxed/simple; bh=93isI6uyvkaHqrN+KFDejx8ggG8wgEi87rrl5QEcVo0=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=IfuakKUGupr3eUULTgxtfHWPgS0fxR1ZZDQ+tVUX70ofAKdN2JNpPsOHaA8lJrOBLgjwGKKqi7EEyE/UU+R3qH+miKgpBrxh8e/B1+wysRRPbPR8TB3tX7xhXOSlFrswp9oCCF6qgaLjikfZbzKLotvfw7MmxTHDocyotVlDfhc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=netfilter.org; arc=none smtp.client-ip=217.70.188.207 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netfilter.org From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: stable@vger.kernel.org, gregkh@linuxfoundation.org, sashal@kernel.org, torvalds@linuxfoundation.org Subject: [PATCH -stable,4.19.x] netfilter: nf_tables: validate family when identifying table via handle Date: Thu, 27 Jun 2024 02:41:11 +0200 Message-Id: <20240627004113.150349-1-pablo@netfilter.org> X-Mailer: git-send-email 2.30.2 Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit [ Upstream commit f6e1532a2697b81da00bfb184e99d15e01e9d98c ] Validate table family when looking up for it via NFTA_TABLE_HANDLE. Fixes: 3ecbfd65f50e ("netfilter: nf_tables: allocate handle and delete objects via handle") Reported-by: Xingyuan Mo Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/netfilter/nf_tables_api.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 198e4a89df48..2c31470dd61f 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -536,7 +536,7 @@ static struct nft_table *nft_table_lookup(const struct net *net, static struct nft_table *nft_table_lookup_byhandle(const struct net *net, const struct nlattr *nla, - u8 genmask) + int family, u8 genmask) { struct nftables_pernet *nft_net; struct nft_table *table; @@ -544,6 +544,7 @@ static struct nft_table *nft_table_lookup_byhandle(const struct net *net, nft_net = net_generic(net, nf_tables_net_id); list_for_each_entry(table, &nft_net->tables, list) { if (be64_to_cpu(nla_get_be64(nla)) == table->handle && + table->family == family && nft_active_genmask(table, genmask)) return table; } @@ -1189,7 +1190,7 @@ static int nf_tables_deltable(struct net *net, struct sock *nlsk, if (nla[NFTA_TABLE_HANDLE]) { attr = nla[NFTA_TABLE_HANDLE]; - table = nft_table_lookup_byhandle(net, attr, genmask); + table = nft_table_lookup_byhandle(net, attr, family, genmask); } else { attr = nla[NFTA_TABLE_NAME]; table = nft_table_lookup(net, attr, family, genmask); -- 2.30.2