mirror of
https://github.com/rd-stuffs/msm-4.14.git
synced 2025-02-20 11:45:48 +08:00
netfilter: nf_tables: fix addition/deletion of elements from commit/abort
We have several problems in this path: 1) There is a use-after-free when removing individual elements from the commit path. 2) We have to uninit() the data part of the element from the abort path to avoid a chain refcount leak. 3) We have to check for set->flags to see if there's a mapping, instead of the element flags. 4) We have to check for !(flags & NFT_SET_ELEM_INTERVAL_END) to skip elements that are part of the interval that have no data part, so they don't need to be uninit(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Pablo Neira Ayuso
parent
2156d321b8
commit
02263db00b
@ -3612,12 +3612,11 @@ static int nf_tables_commit(struct sk_buff *skb)
|
|||||||
&te->elem,
|
&te->elem,
|
||||||
NFT_MSG_DELSETELEM, 0);
|
NFT_MSG_DELSETELEM, 0);
|
||||||
te->set->ops->get(te->set, &te->elem);
|
te->set->ops->get(te->set, &te->elem);
|
||||||
te->set->ops->remove(te->set, &te->elem);
|
|
||||||
nft_data_uninit(&te->elem.key, NFT_DATA_VALUE);
|
nft_data_uninit(&te->elem.key, NFT_DATA_VALUE);
|
||||||
if (te->elem.flags & NFT_SET_MAP) {
|
if (te->set->flags & NFT_SET_MAP &&
|
||||||
nft_data_uninit(&te->elem.data,
|
!(te->elem.flags & NFT_SET_ELEM_INTERVAL_END))
|
||||||
te->set->dtype);
|
nft_data_uninit(&te->elem.data, te->set->dtype);
|
||||||
}
|
te->set->ops->remove(te->set, &te->elem);
|
||||||
nft_trans_destroy(trans);
|
nft_trans_destroy(trans);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
@ -3658,7 +3657,7 @@ static int nf_tables_abort(struct sk_buff *skb)
|
|||||||
{
|
{
|
||||||
struct net *net = sock_net(skb->sk);
|
struct net *net = sock_net(skb->sk);
|
||||||
struct nft_trans *trans, *next;
|
struct nft_trans *trans, *next;
|
||||||
struct nft_set *set;
|
struct nft_trans_elem *te;
|
||||||
|
|
||||||
list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
|
list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
|
||||||
switch (trans->msg_type) {
|
switch (trans->msg_type) {
|
||||||
@ -3719,9 +3718,13 @@ static int nf_tables_abort(struct sk_buff *skb)
|
|||||||
break;
|
break;
|
||||||
case NFT_MSG_NEWSETELEM:
|
case NFT_MSG_NEWSETELEM:
|
||||||
nft_trans_elem_set(trans)->nelems--;
|
nft_trans_elem_set(trans)->nelems--;
|
||||||
set = nft_trans_elem_set(trans);
|
te = (struct nft_trans_elem *)trans->data;
|
||||||
set->ops->get(set, &nft_trans_elem(trans));
|
te->set->ops->get(te->set, &te->elem);
|
||||||
set->ops->remove(set, &nft_trans_elem(trans));
|
nft_data_uninit(&te->elem.key, NFT_DATA_VALUE);
|
||||||
|
if (te->set->flags & NFT_SET_MAP &&
|
||||||
|
!(te->elem.flags & NFT_SET_ELEM_INTERVAL_END))
|
||||||
|
nft_data_uninit(&te->elem.data, te->set->dtype);
|
||||||
|
te->set->ops->remove(te->set, &te->elem);
|
||||||
nft_trans_destroy(trans);
|
nft_trans_destroy(trans);
|
||||||
break;
|
break;
|
||||||
case NFT_MSG_DELSETELEM:
|
case NFT_MSG_DELSETELEM:
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user