Commit 00a3101f authored Aug 08, 2016 by Liping Zhang Committed by Pablo Neira Ayuso Aug 09, 2016

netfilter: nfnetlink_queue: reject verdict request from different portid



Like NFQNL_MSG_VERDICT_BATCH do, we should also reject the verdict
request when the portid is not same with the initial portid(maybe
from another process).

Fixes: 97d32cf9 ("netfilter: nfnetlink_queue: batch verdict support")
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent b18bcb00

net/netfilter/nfnetlink_queue.c

+2 −4

Original line number	Original line	Diff line number	Diff line
	@@ -1145,8 +1145,6 @@ static int nfqnl_recv_verdict(struct net net, struct sock ctnl,
	struct nfnl_queue_net *q = nfnl_queue_pernet(net);		struct nfnl_queue_net *q = nfnl_queue_pernet(net);
	int err;		int err;

	queue = instance_lookup(q, queue_num);
	if (!queue)
	queue = verdict_instance_lookup(q, queue_num,		queue = verdict_instance_lookup(q, queue_num,
	NETLINK_CB(skb).portid);		NETLINK_CB(skb).portid);
	if (IS_ERR(queue))		if (IS_ERR(queue))