OpenWrt – Diff between revs 2 and 3
?pathlinks?
| Rev 2 | Rev 3 | |||
|---|---|---|---|---|
| 1 | From: Hangbin Liu <liuhangbin@gmail.com> |
1 | From: Hangbin Liu <liuhangbin@gmail.com> |
|
| 2 | Date: Mon, 25 Dec 2017 11:34:54 +0800 |
2 | Date: Mon, 25 Dec 2017 11:34:54 +0800 |
|
| 3 | Subject: [PATCH] netfilter: nf_tables: fix potential NULL-ptr deref in |
3 | Subject: [PATCH] netfilter: nf_tables: fix potential NULL-ptr deref in |
|
| 4 | nf_tables_dump_obj_done() |
4 | nf_tables_dump_obj_done() |
|
| 5 | |
5 | |
|
| 6 | If there is no NFTA_OBJ_TABLE and NFTA_OBJ_TYPE, the c.data will be NULL in |
6 | If there is no NFTA_OBJ_TABLE and NFTA_OBJ_TYPE, the c.data will be NULL in |
|
| 7 | nf_tables_getobj(). So before free filter->table in nf_tables_dump_obj_done(), |
7 | nf_tables_getobj(). So before free filter->table in nf_tables_dump_obj_done(), |
|
| 8 | we need to check if filter is NULL first. |
8 | we need to check if filter is NULL first. |
|
| 9 | |
9 | |
|
| 10 | Fixes: e46abbcc05aa ("netfilter: nf_tables: Allow table names of up to 255 chars") |
10 | Fixes: e46abbcc05aa ("netfilter: nf_tables: Allow table names of up to 255 chars") |
|
| 11 | Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> |
11 | Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> |
|
| 12 | Acked-by: Phil Sutter <phil@nwl.cc> |
12 | Acked-by: Phil Sutter <phil@nwl.cc> |
|
| 13 | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
13 | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
|
| 14 | --- |
14 | --- |
|
| 15 | |
15 | |
|
| 16 | --- a/net/netfilter/nf_tables_api.c |
16 | --- a/net/netfilter/nf_tables_api.c |
|
| 17 | +++ b/net/netfilter/nf_tables_api.c |
17 | +++ b/net/netfilter/nf_tables_api.c |
|
| 18 | @@ -5324,8 +5324,10 @@ static int nf_tables_dump_flowtable_done |
18 | @@ -5313,8 +5313,10 @@ static int nf_tables_dump_flowtable_done |
|
| 19 | if (!filter) |
19 | if (!filter) |
|
| 20 | return 0; |
20 | return 0; |
|
| 21 | |
21 | |
|
| 22 | - kfree(filter->table); |
22 | - kfree(filter->table); |
|
| 23 | - kfree(filter); |
23 | - kfree(filter); |
|
| 24 | + if (filter) { |
24 | + if (filter) { |
|
| 25 | + kfree(filter->table); |
25 | + kfree(filter->table); |
|
| 26 | + kfree(filter); |
26 | + kfree(filter); |
|
| 27 | + } |
27 | + } |
|
| 28 | |
28 | |
|
| 29 | return 0; |
29 | return 0; |
|
| 30 | } |
30 | } |
|
| 31 | |
31 | |
|