Commit 20c47646 authored by Jakub Kicinski's avatar Jakub Kicinski

Merge tag 'nf-23-06-07' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net:

1) Missing nul-check in basechain hook netlink dump path, from Gavrilov Ilia.

2) Fix bitwise register tracking, from Jeremy Sowden.

3) Null pointer dereference when accessing conntrack helper,
   from Tijs Van Buggenhout.

4) Add schedule point to ipset's call_ad, from Kuniyuki Iwashima.

5) Incorrect boundary check when building chain blob.

* tag 'nf-23-06-07' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
  netfilter: nf_tables: out-of-bound check in chain blob
  netfilter: ipset: Add schedule point in call_ad().
  netfilter: conntrack: fix NULL pointer dereference in nf_confirm_cthelper
  netfilter: nft_bitwise: fix register tracking
  netfilter: nf_tables: Add null check for nla_nest_start_noflag() in nft_dump_basechain_hook()
====================

Link: https://lore.kernel.org/r/20230606225851.67394-1-pablo@netfilter.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents e684ab76 08e42a0d
...@@ -1694,6 +1694,14 @@ call_ad(struct net *net, struct sock *ctnl, struct sk_buff *skb, ...@@ -1694,6 +1694,14 @@ call_ad(struct net *net, struct sock *ctnl, struct sk_buff *skb,
bool eexist = flags & IPSET_FLAG_EXIST, retried = false; bool eexist = flags & IPSET_FLAG_EXIST, retried = false;
do { do {
if (retried) {
__ip_set_get(set);
nfnl_unlock(NFNL_SUBSYS_IPSET);
cond_resched();
nfnl_lock(NFNL_SUBSYS_IPSET);
__ip_set_put(set);
}
ip_set_lock(set); ip_set_lock(set);
ret = set->variant->uadt(set, tb, adt, &lineno, flags, retried); ret = set->variant->uadt(set, tb, adt, &lineno, flags, retried);
ip_set_unlock(set); ip_set_unlock(set);
......
...@@ -2260,6 +2260,9 @@ static int nf_confirm_cthelper(struct sk_buff *skb, struct nf_conn *ct, ...@@ -2260,6 +2260,9 @@ static int nf_confirm_cthelper(struct sk_buff *skb, struct nf_conn *ct,
return 0; return 0;
helper = rcu_dereference(help->helper); helper = rcu_dereference(help->helper);
if (!helper)
return 0;
if (!(helper->flags & NF_CT_HELPER_F_USERSPACE)) if (!(helper->flags & NF_CT_HELPER_F_USERSPACE))
return 0; return 0;
......
...@@ -1600,6 +1600,8 @@ static int nft_dump_basechain_hook(struct sk_buff *skb, int family, ...@@ -1600,6 +1600,8 @@ static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
if (nft_base_chain_netdev(family, ops->hooknum)) { if (nft_base_chain_netdev(family, ops->hooknum)) {
nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS); nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
if (!nest_devs)
goto nla_put_failure;
if (!hook_list) if (!hook_list)
hook_list = &basechain->hook_list; hook_list = &basechain->hook_list;
...@@ -9005,7 +9007,7 @@ static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *cha ...@@ -9005,7 +9007,7 @@ static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *cha
continue; continue;
} }
if (WARN_ON_ONCE(data + expr->ops->size > data_boundary)) if (WARN_ON_ONCE(data + size + expr->ops->size > data_boundary))
return -ENOMEM; return -ENOMEM;
memcpy(data + size, expr, expr->ops->size); memcpy(data + size, expr, expr->ops->size);
......
...@@ -323,7 +323,7 @@ static bool nft_bitwise_reduce(struct nft_regs_track *track, ...@@ -323,7 +323,7 @@ static bool nft_bitwise_reduce(struct nft_regs_track *track,
dreg = priv->dreg; dreg = priv->dreg;
regcount = DIV_ROUND_UP(priv->len, NFT_REG32_SIZE); regcount = DIV_ROUND_UP(priv->len, NFT_REG32_SIZE);
for (i = 0; i < regcount; i++, dreg++) for (i = 0; i < regcount; i++, dreg++)
track->regs[priv->dreg].bitwise = expr; track->regs[dreg].bitwise = expr;
return false; return false;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment