Commit fa5950e4 authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso

netfilter: nf_tables: avoid BUG_ON usage

None of these spots really needs to crash the kernel.
In one two cases we can jsut report error to userspace, in the other
cases we can just use WARN_ON (and leak memory instead).
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 0d704967
...@@ -1021,7 +1021,8 @@ static int nf_tables_deltable(struct net *net, struct sock *nlsk, ...@@ -1021,7 +1021,8 @@ static int nf_tables_deltable(struct net *net, struct sock *nlsk,
static void nf_tables_table_destroy(struct nft_ctx *ctx) static void nf_tables_table_destroy(struct nft_ctx *ctx)
{ {
BUG_ON(ctx->table->use > 0); if (WARN_ON(ctx->table->use > 0))
return;
rhltable_destroy(&ctx->table->chains_ht); rhltable_destroy(&ctx->table->chains_ht);
kfree(ctx->table->name); kfree(ctx->table->name);
...@@ -1428,7 +1429,8 @@ static void nf_tables_chain_destroy(struct nft_ctx *ctx) ...@@ -1428,7 +1429,8 @@ static void nf_tables_chain_destroy(struct nft_ctx *ctx)
{ {
struct nft_chain *chain = ctx->chain; struct nft_chain *chain = ctx->chain;
BUG_ON(chain->use > 0); if (WARN_ON(chain->use > 0))
return;
/* no concurrent access possible anymore */ /* no concurrent access possible anymore */
nf_tables_chain_free_chain_rules(chain); nf_tables_chain_free_chain_rules(chain);
...@@ -7243,7 +7245,8 @@ int __nft_release_basechain(struct nft_ctx *ctx) ...@@ -7243,7 +7245,8 @@ int __nft_release_basechain(struct nft_ctx *ctx)
{ {
struct nft_rule *rule, *nr; struct nft_rule *rule, *nr;
BUG_ON(!nft_is_base_chain(ctx->chain)); if (WARN_ON(!nft_is_base_chain(ctx->chain)))
return 0;
nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain); nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) { list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
......
...@@ -79,7 +79,8 @@ static int nft_cmp_init(const struct nft_ctx *ctx, const struct nft_expr *expr, ...@@ -79,7 +79,8 @@ static int nft_cmp_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
err = nft_data_init(NULL, &priv->data, sizeof(priv->data), &desc, err = nft_data_init(NULL, &priv->data, sizeof(priv->data), &desc,
tb[NFTA_CMP_DATA]); tb[NFTA_CMP_DATA]);
BUG_ON(err < 0); if (err < 0)
return err;
priv->sreg = nft_parse_register(tb[NFTA_CMP_SREG]); priv->sreg = nft_parse_register(tb[NFTA_CMP_SREG]);
err = nft_validate_register_load(priv->sreg, desc.len); err = nft_validate_register_load(priv->sreg, desc.len);
...@@ -129,7 +130,8 @@ static int nft_cmp_fast_init(const struct nft_ctx *ctx, ...@@ -129,7 +130,8 @@ static int nft_cmp_fast_init(const struct nft_ctx *ctx,
err = nft_data_init(NULL, &data, sizeof(data), &desc, err = nft_data_init(NULL, &data, sizeof(data), &desc,
tb[NFTA_CMP_DATA]); tb[NFTA_CMP_DATA]);
BUG_ON(err < 0); if (err < 0)
return err;
priv->sreg = nft_parse_register(tb[NFTA_CMP_SREG]); priv->sreg = nft_parse_register(tb[NFTA_CMP_SREG]);
err = nft_validate_register_load(priv->sreg, desc.len); err = nft_validate_register_load(priv->sreg, desc.len);
......
...@@ -94,7 +94,8 @@ static u8 icmp_code_v4[NFT_REJECT_ICMPX_MAX + 1] = { ...@@ -94,7 +94,8 @@ static u8 icmp_code_v4[NFT_REJECT_ICMPX_MAX + 1] = {
int nft_reject_icmp_code(u8 code) int nft_reject_icmp_code(u8 code)
{ {
BUG_ON(code > NFT_REJECT_ICMPX_MAX); if (WARN_ON_ONCE(code > NFT_REJECT_ICMPX_MAX))
return ICMP_NET_UNREACH;
return icmp_code_v4[code]; return icmp_code_v4[code];
} }
...@@ -111,7 +112,8 @@ static u8 icmp_code_v6[NFT_REJECT_ICMPX_MAX + 1] = { ...@@ -111,7 +112,8 @@ static u8 icmp_code_v6[NFT_REJECT_ICMPX_MAX + 1] = {
int nft_reject_icmpv6_code(u8 code) int nft_reject_icmpv6_code(u8 code)
{ {
BUG_ON(code > NFT_REJECT_ICMPX_MAX); if (WARN_ON_ONCE(code > NFT_REJECT_ICMPX_MAX))
return ICMPV6_NOROUTE;
return icmp_code_v6[code]; return icmp_code_v6[code];
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment