Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 07ac4181 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso Committed by Greg Kroah-Hartman
Browse files

netfilter: nf_tables: add __nft_chain_type_get() 



commit 826035498ec14b77b62a44f0cb6b94d45530db6f upstream.

This new helper function validates that unknown family and chain type
coming from userspace do not trigger an out-of-bound array access. Bail
out in case __nft_chain_type_get() returns NULL from
nft_chain_parse_hook().

Fixes: 9370761c ("netfilter: nf_tables: convert built-in tables/chains to chain types")
Reported-by: default avatar <syzbot+156a04714799b1d480bc@syzkaller.appspotmail.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent ea52197c

net/netfilter/nf_tables_api.c

+21 −8
Original line number Diff line number Diff line
@@ -488,15 +488,28 @@ static inline u64 nf_tables_alloc_handle(struct nft_table *table) 


static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];



static const struct nft_chain_type *

__nft_chain_type_get(u8 family, enum nft_chain_types type)

{

	if (family >= NFPROTO_NUMPROTO ||

	    type >= NFT_CHAIN_T_MAX)

		return NULL;



	return chain_type[family][type];

}



static const struct nft_chain_type *

__nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)

{

	const struct nft_chain_type *type;

	int i;



	for (i = 0; i < NFT_CHAIN_T_MAX; i++) {

		if (chain_type[family][i] != NULL &&

		    !nla_strcmp(nla, chain_type[family][i]->name))

			return chain_type[family][i];

		type = __nft_chain_type_get(family, i);

		if (!type)

			continue;

		if (!nla_strcmp(nla, type->name))

			return type;

	}

	return NULL;

}
@@ -1095,11 +1108,8 @@ static void nf_tables_table_destroy(struct nft_ctx *ctx) 


void nft_register_chain_type(const struct nft_chain_type *ctype)

{

	if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))

		return;



	nfnl_lock(NFNL_SUBSYS_NFTABLES);

	if (WARN_ON(chain_type[ctype->family][ctype->type] != NULL)) {

	if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {

		nfnl_unlock(NFNL_SUBSYS_NFTABLES);

		return;

	}
@@ -1551,7 +1561,10 @@ static int nft_chain_parse_hook(struct net *net, 
	hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));

	hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));



	type = chain_type[family][NFT_CHAIN_T_DEFAULT];

	type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);

	if (!type)

		return -EOPNOTSUPP;



	if (nla[NFTA_CHAIN_TYPE]) {

		type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],

						   family, autoload);