Commit c4ab9da8 authored by Davide Ornaghi's avatar Davide Ornaghi Committed by Pablo Neira Ayuso

netfilter: nft_inner: validate mandatory meta and payload

Check for mandatory netlink attributes in payload and meta expression
when used embedded from the inner expression, otherwise NULL pointer
dereference is possible from userspace.

Fixes: a150d122 ("netfilter: nft_meta: add inner match support")
Fixes: 3a07327d ("netfilter: nft_inner: support for inner tunnel header matching")
Signed-off-by: default avatarDavide Ornaghi <d.ornaghi97@gmail.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 36534d3c
...@@ -839,6 +839,9 @@ static int nft_meta_inner_init(const struct nft_ctx *ctx, ...@@ -839,6 +839,9 @@ static int nft_meta_inner_init(const struct nft_ctx *ctx,
struct nft_meta *priv = nft_expr_priv(expr); struct nft_meta *priv = nft_expr_priv(expr);
unsigned int len; unsigned int len;
if (!tb[NFTA_META_KEY] || !tb[NFTA_META_DREG])
return -EINVAL;
priv->key = ntohl(nla_get_be32(tb[NFTA_META_KEY])); priv->key = ntohl(nla_get_be32(tb[NFTA_META_KEY]));
switch (priv->key) { switch (priv->key) {
case NFT_META_PROTOCOL: case NFT_META_PROTOCOL:
......
...@@ -650,6 +650,10 @@ static int nft_payload_inner_init(const struct nft_ctx *ctx, ...@@ -650,6 +650,10 @@ static int nft_payload_inner_init(const struct nft_ctx *ctx,
struct nft_payload *priv = nft_expr_priv(expr); struct nft_payload *priv = nft_expr_priv(expr);
u32 base; u32 base;
if (!tb[NFTA_PAYLOAD_BASE] || !tb[NFTA_PAYLOAD_OFFSET] ||
!tb[NFTA_PAYLOAD_LEN] || !tb[NFTA_PAYLOAD_DREG])
return -EINVAL;
base = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_BASE])); base = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_BASE]));
switch (base) { switch (base) {
case NFT_PAYLOAD_TUN_HEADER: case NFT_PAYLOAD_TUN_HEADER:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment