summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFlavio Leitner <fbl@redhat.com>2018-09-28 00:36:28 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2018-09-28 14:47:41 +0200
commit40e4f26e6a14fc1496eabb8b0004a547303114e6 (patch)
treed6c9c65b4fdff4d5ff1589806a83a056510865e6
parentnetfilter: avoid erronous array bounds warning (diff)
downloadlinux-40e4f26e6a14fc1496eabb8b0004a547303114e6.tar.xz
linux-40e4f26e6a14fc1496eabb8b0004a547303114e6.zip
netfilter: xt_socket: check sk before checking for netns.
Only check for the network namespace if the socket is available. Fixes: f564650106a6 ("netfilter: check if the socket netns is correct.") Reported-by: Guenter Roeck <linux@roeck-us.net> Tested-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Flavio Leitner <fbl@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--net/netfilter/xt_socket.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 0472f3472842..ada144e5645b 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -56,7 +56,7 @@ socket_match(const struct sk_buff *skb, struct xt_action_param *par,
struct sk_buff *pskb = (struct sk_buff *)skb;
struct sock *sk = skb->sk;
- if (!net_eq(xt_net(par), sock_net(sk)))
+ if (sk && !net_eq(xt_net(par), sock_net(sk)))
sk = NULL;
if (!sk)
@@ -117,7 +117,7 @@ socket_mt6_v1_v2_v3(const struct sk_buff *skb, struct xt_action_param *par)
struct sk_buff *pskb = (struct sk_buff *)skb;
struct sock *sk = skb->sk;
- if (!net_eq(xt_net(par), sock_net(sk)))
+ if (sk && !net_eq(xt_net(par), sock_net(sk)))
sk = NULL;
if (!sk)