mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-01-06 13:23:18 +00:00
netfilter: nft_inner: validate mandatory meta and payload
Check for mandatory netlink attributes in payload and meta expression when used embedded from the inner expression, otherwise NULL pointer dereference is possible from userspace. Fixes:a150d122b6
("netfilter: nft_meta: add inner match support") Fixes:3a07327d10
("netfilter: nft_inner: support for inner tunnel header matching") Signed-off-by: Davide Ornaghi <d.ornaghi97@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
36534d3c54
commit
c4ab9da85b
@ -839,6 +839,9 @@ static int nft_meta_inner_init(const struct nft_ctx *ctx,
|
||||
struct nft_meta *priv = nft_expr_priv(expr);
|
||||
unsigned int len;
|
||||
|
||||
if (!tb[NFTA_META_KEY] || !tb[NFTA_META_DREG])
|
||||
return -EINVAL;
|
||||
|
||||
priv->key = ntohl(nla_get_be32(tb[NFTA_META_KEY]));
|
||||
switch (priv->key) {
|
||||
case NFT_META_PROTOCOL:
|
||||
|
@ -650,6 +650,10 @@ static int nft_payload_inner_init(const struct nft_ctx *ctx,
|
||||
struct nft_payload *priv = nft_expr_priv(expr);
|
||||
u32 base;
|
||||
|
||||
if (!tb[NFTA_PAYLOAD_BASE] || !tb[NFTA_PAYLOAD_OFFSET] ||
|
||||
!tb[NFTA_PAYLOAD_LEN] || !tb[NFTA_PAYLOAD_DREG])
|
||||
return -EINVAL;
|
||||
|
||||
base = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_BASE]));
|
||||
switch (base) {
|
||||
case NFT_PAYLOAD_TUN_HEADER:
|
||||
|
Loading…
Reference in New Issue
Block a user