Skip to content

Commit 20c4764

Browse files
committed
Merge tag 'nf-23-06-07' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf
Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for net: 1) Missing nul-check in basechain hook netlink dump path, from Gavrilov Ilia. 2) Fix bitwise register tracking, from Jeremy Sowden. 3) Null pointer dereference when accessing conntrack helper, from Tijs Van Buggenhout. 4) Add schedule point to ipset's call_ad, from Kuniyuki Iwashima. 5) Incorrect boundary check when building chain blob. * tag 'nf-23-06-07' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: nf_tables: out-of-bound check in chain blob netfilter: ipset: Add schedule point in call_ad(). netfilter: conntrack: fix NULL pointer dereference in nf_confirm_cthelper netfilter: nft_bitwise: fix register tracking netfilter: nf_tables: Add null check for nla_nest_start_noflag() in nft_dump_basechain_hook() ==================== Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski <[email protected]>
2 parents e684ab7 + 08e42a0 commit 20c4764

File tree

4 files changed

+15
-2
lines changed

4 files changed

+15
-2
lines changed

net/netfilter/ipset/ip_set_core.c

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1694,6 +1694,14 @@ call_ad(struct net *net, struct sock *ctnl, struct sk_buff *skb,
16941694
bool eexist = flags & IPSET_FLAG_EXIST, retried = false;
16951695

16961696
do {
1697+
if (retried) {
1698+
__ip_set_get(set);
1699+
nfnl_unlock(NFNL_SUBSYS_IPSET);
1700+
cond_resched();
1701+
nfnl_lock(NFNL_SUBSYS_IPSET);
1702+
__ip_set_put(set);
1703+
}
1704+
16971705
ip_set_lock(set);
16981706
ret = set->variant->uadt(set, tb, adt, &lineno, flags, retried);
16991707
ip_set_unlock(set);

net/netfilter/nf_conntrack_core.c

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2260,6 +2260,9 @@ static int nf_confirm_cthelper(struct sk_buff *skb, struct nf_conn *ct,
22602260
return 0;
22612261

22622262
helper = rcu_dereference(help->helper);
2263+
if (!helper)
2264+
return 0;
2265+
22632266
if (!(helper->flags & NF_CT_HELPER_F_USERSPACE))
22642267
return 0;
22652268

net/netfilter/nf_tables_api.c

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1600,6 +1600,8 @@ static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
16001600

16011601
if (nft_base_chain_netdev(family, ops->hooknum)) {
16021602
nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1603+
if (!nest_devs)
1604+
goto nla_put_failure;
16031605

16041606
if (!hook_list)
16051607
hook_list = &basechain->hook_list;
@@ -9005,7 +9007,7 @@ static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *cha
90059007
continue;
90069008
}
90079009

9008-
if (WARN_ON_ONCE(data + expr->ops->size > data_boundary))
9010+
if (WARN_ON_ONCE(data + size + expr->ops->size > data_boundary))
90099011
return -ENOMEM;
90109012

90119013
memcpy(data + size, expr, expr->ops->size);

net/netfilter/nft_bitwise.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -323,7 +323,7 @@ static bool nft_bitwise_reduce(struct nft_regs_track *track,
323323
dreg = priv->dreg;
324324
regcount = DIV_ROUND_UP(priv->len, NFT_REG32_SIZE);
325325
for (i = 0; i < regcount; i++, dreg++)
326-
track->regs[priv->dreg].bitwise = expr;
326+
track->regs[dreg].bitwise = expr;
327327

328328
return false;
329329
}

0 commit comments

Comments
 (0)