Commit 1d9a7acd authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso

netfilter: conntrack: dccp, sctp: handle null timeout argument

The timeout pointer can be NULL which means we should modify the
per-nets timeout instead.

All do this, except sctp and dccp which instead give:

general protection fault: 0000 [#1] PREEMPT SMP KASAN
net/netfilter/nf_conntrack_proto_dccp.c:682
 ctnl_timeout_parse_policy+0x150/0x1d0 net/netfilter/nfnetlink_cttimeout.c:67
 cttimeout_default_set+0x150/0x1c0 net/netfilter/nfnetlink_cttimeout.c:368
 nfnetlink_rcv_msg+0xcf2/0xfb0 net/netfilter/nfnetlink.c:229
 netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477

Reported-by: syzbot+46a4ad33f345d1dd346e@syzkaller.appspotmail.com
Fixes: c779e849 ("netfilter: conntrack: remove get_timeout() indirection")
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent fb46f1b7
...@@ -677,6 +677,9 @@ static int dccp_timeout_nlattr_to_obj(struct nlattr *tb[], ...@@ -677,6 +677,9 @@ static int dccp_timeout_nlattr_to_obj(struct nlattr *tb[],
unsigned int *timeouts = data; unsigned int *timeouts = data;
int i; int i;
if (!timeouts)
timeouts = dn->dccp_timeout;
/* set default DCCP timeouts. */ /* set default DCCP timeouts. */
for (i=0; i<CT_DCCP_MAX; i++) for (i=0; i<CT_DCCP_MAX; i++)
timeouts[i] = dn->dccp_timeout[i]; timeouts[i] = dn->dccp_timeout[i];
......
...@@ -594,6 +594,9 @@ static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[], ...@@ -594,6 +594,9 @@ static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
struct nf_sctp_net *sn = nf_sctp_pernet(net); struct nf_sctp_net *sn = nf_sctp_pernet(net);
int i; int i;
if (!timeouts)
timeouts = sn->timeouts;
/* set default SCTP timeouts. */ /* set default SCTP timeouts. */
for (i=0; i<SCTP_CONNTRACK_MAX; i++) for (i=0; i<SCTP_CONNTRACK_MAX; i++)
timeouts[i] = sn->timeouts[i]; timeouts[i] = sn->timeouts[i];
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment