summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPhil Turnbull <phil.turnbull@oracle.com>2016-05-27 19:34:04 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2016-05-30 12:21:23 +0200
commiteaa2bcd6d1d410a52df8c7b05e76d86c0319b7b0 (patch)
treebfe420585bb687c2f58e916438aa4c8bee0a30c8
parentnetfilter: nf_dup_ipv6: set again FLOWI_FLAG_KNOWN_NH at flowi6_flags (diff)
downloadlinux-eaa2bcd6d1d410a52df8c7b05e76d86c0319b7b0.tar.xz
linux-eaa2bcd6d1d410a52df8c7b05e76d86c0319b7b0.zip
netfilter: nf_tables: validate NFTA_SET_TABLE parameter
If the NFTA_SET_TABLE parameter is missing and the NLM_F_DUMP flag is not set, then a NULL pointer dereference is triggered in nf_tables_set_lookup because ctx.table is NULL. Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--net/netfilter/nf_tables_api.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 2011977cd79d..6947e255cdd8 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2641,6 +2641,8 @@ static int nf_tables_getset(struct net *net, struct sock *nlsk,
/* Only accept unspec with dump */
if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
return -EAFNOSUPPORT;
+ if (!nla[NFTA_SET_TABLE])
+ return -EINVAL;
set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
if (IS_ERR(set))