netfilter: nfnetlink_hook: fix array index out-of-bounds error

Currently the array net->nf.hooks_ipv6 is accessed by index hook before hook is sanity checked. Fix this by moving the sanity check to before the array access. Addresses-Coverity: ("Out-of-bounds access") Fixes: e2cf17d3774c ("netfilter: add new hook nfnl subsystem") Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Colin Ian King <colin.king@canonical.com> 2021-06-08 17:34:08 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2021-06-09 21:28:50 +0200
commit: 5302560bb49d38bf6e62a47c44e19ef04bd5344d (patch)
tree: c67606d85188f76a34746f25fe94f3f6697f39a4 /net
parent: netfilter: nft_exthdr: Fix for unsafe packet data read (diff)
download: linux-5302560bb49d38bf6e62a47c44e19ef04bd5344d.tar.xz
linux-5302560bb49d38bf6e62a47c44e19ef04bd5344d.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/net/netfilter/nfnetlink_hook.c b/net/netfilter/nfnetlink_hook.c
index 04586dfa2acd..58fda6ac663b 100644
--- a/net/netfilter/nfnetlink_hook.c
+++ b/net/netfilter/nfnetlink_hook.c
@@ -181,9 +181,9 @@ nfnl_hook_entries_head(u8 pf, unsigned int hook, struct net *net, const char *de
 		hook_head = rcu_dereference(net->nf.hooks_ipv4[hook]);
 		break;
 	case NFPROTO_IPV6:
-		hook_head = rcu_dereference(net->nf.hooks_ipv6[hook]);
 		if (hook >= ARRAY_SIZE(net->nf.hooks_ipv6))
 			return ERR_PTR(-EINVAL);
+		hook_head = rcu_dereference(net->nf.hooks_ipv6[hook]);
 		break;
 	case NFPROTO_ARP:
 #ifdef CONFIG_NETFILTER_FAMILY_ARP
author	Colin Ian King <colin.king@canonical.com>	2021-06-08 17:34:08 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2021-06-09 21:28:50 +0200
commit	5302560bb49d38bf6e62a47c44e19ef04bd5344d (patch)
tree	c67606d85188f76a34746f25fe94f3f6697f39a4 /net
parent	netfilter: nft_exthdr: Fix for unsafe packet data read (diff)
download	linux-5302560bb49d38bf6e62a47c44e19ef04bd5344d.tar.xz linux-5302560bb49d38bf6e62a47c44e19ef04bd5344d.zip