diff options
| author | Patrick McHardy <kaber@trash.net> | 2007-12-18 01:39:55 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2008-01-28 17:59:00 -0500 |
| commit | c0506365a928adfd5608ed6873a705ae18e2daaf (patch) | |
| tree | e61abaf91c2b198f1b8c5db45ad46eb0bff2c9c8 | |
| parent | a7c42955e036127f793ad955d3ec718494efb1eb (diff) | |
[NETFILTER]: nfnetlink_log: fix checks in nfulnl_recv_config
Similar to the nfnetlink_queue fixes:
The peer_pid must be checked in all cases when a logging instance exists,
additionally we must check whether an instance exists before attempting
to configure it to avoid NULL ptr dereferences.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/netfilter/nfnetlink_log.c | 49 |
1 files changed, 27 insertions, 22 deletions
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c index 02e63577e156..3dcc6f51a52e 100644 --- a/net/netfilter/nfnetlink_log.c +++ b/net/netfilter/nfnetlink_log.c | |||
| @@ -753,9 +753,15 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb, | |||
| 753 | UDEBUG("entering for msg %u\n", NFNL_MSG_TYPE(nlh->nlmsg_type)); | 753 | UDEBUG("entering for msg %u\n", NFNL_MSG_TYPE(nlh->nlmsg_type)); |
| 754 | 754 | ||
| 755 | inst = instance_lookup_get(group_num); | 755 | inst = instance_lookup_get(group_num); |
| 756 | if (inst && inst->peer_pid != NETLINK_CB(skb).pid) { | ||
| 757 | ret = -EPERM; | ||
| 758 | goto out_put; | ||
| 759 | } | ||
| 760 | |||
| 756 | if (nfula[NFULA_CFG_CMD]) { | 761 | if (nfula[NFULA_CFG_CMD]) { |
| 757 | u_int8_t pf = nfmsg->nfgen_family; | 762 | u_int8_t pf = nfmsg->nfgen_family; |
| 758 | struct nfulnl_msg_config_cmd *cmd; | 763 | struct nfulnl_msg_config_cmd *cmd; |
| 764 | |||
| 759 | cmd = nla_data(nfula[NFULA_CFG_CMD]); | 765 | cmd = nla_data(nfula[NFULA_CFG_CMD]); |
| 760 | UDEBUG("found CFG_CMD for\n"); | 766 | UDEBUG("found CFG_CMD for\n"); |
| 761 | 767 | ||
| @@ -779,11 +785,6 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb, | |||
| 779 | goto out; | 785 | goto out; |
| 780 | } | 786 | } |
| 781 | 787 | ||
| 782 | if (inst->peer_pid != NETLINK_CB(skb).pid) { | ||
| 783 | ret = -EPERM; | ||
| 784 | goto out_put; | ||
| 785 | } | ||
| 786 | |||
| 787 | instance_destroy(inst); | 788 | instance_destroy(inst); |
| 788 | goto out; | 789 | goto out; |
| 789 | case NFULNL_CFG_CMD_PF_BIND: | 790 | case NFULNL_CFG_CMD_PF_BIND: |
| @@ -800,29 +801,16 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb, | |||
| 800 | ret = -EINVAL; | 801 | ret = -EINVAL; |
| 801 | break; | 802 | break; |
| 802 | } | 803 | } |
| 803 | |||
| 804 | if (!inst) | ||
| 805 | goto out; | ||
| 806 | } else { | ||
| 807 | if (!inst) { | ||
| 808 | UDEBUG("no config command, and no instance for " | ||
| 809 | "group=%u pid=%u =>ENOENT\n", | ||
| 810 | group_num, NETLINK_CB(skb).pid); | ||
| 811 | ret = -ENOENT; | ||
| 812 | goto out; | ||
| 813 | } | ||
| 814 | |||
| 815 | if (inst->peer_pid != NETLINK_CB(skb).pid) { | ||
| 816 | UDEBUG("no config command, and wrong pid\n"); | ||
| 817 | ret = -EPERM; | ||
| 818 | goto out_put; | ||
| 819 | } | ||
| 820 | } | 804 | } |
| 821 | 805 | ||
| 822 | if (nfula[NFULA_CFG_MODE]) { | 806 | if (nfula[NFULA_CFG_MODE]) { |
| 823 | struct nfulnl_msg_config_mode *params; | 807 | struct nfulnl_msg_config_mode *params; |
| 824 | params = nla_data(nfula[NFULA_CFG_MODE]); | 808 | params = nla_data(nfula[NFULA_CFG_MODE]); |
| 825 | 809 | ||
| 810 | if (!inst) { | ||
| 811 | ret = -ENODEV; | ||
| 812 | goto out; | ||
| 813 | } | ||
| 826 | nfulnl_set_mode(inst, params->copy_mode, | 814 | nfulnl_set_mode(inst, params->copy_mode, |
| 827 | ntohl(params->copy_range)); | 815 | ntohl(params->copy_range)); |
| 828 | } | 816 | } |
| @@ -831,6 +819,10 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb, | |||
| 831 | __be32 timeout = | 819 | __be32 timeout = |
| 832 | *(__be32 *)nla_data(nfula[NFULA_CFG_TIMEOUT]); | 820 | *(__be32 *)nla_data(nfula[NFULA_CFG_TIMEOUT]); |
| 833 | 821 | ||
| 822 | if (!inst) { | ||
| 823 | ret = -ENODEV; | ||
| 824 | goto out; | ||
| 825 | } | ||
| 834 | nfulnl_set_timeout(inst, ntohl(timeout)); | 826 | nfulnl_set_timeout(inst, ntohl(timeout)); |
| 835 | } | 827 | } |
| 836 | 828 | ||
| @@ -838,6 +830,10 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb, | |||
| 838 | __be32 nlbufsiz = | 830 | __be32 nlbufsiz = |
| 839 | *(__be32 *)nla_data(nfula[NFULA_CFG_NLBUFSIZ]); | 831 | *(__be32 *)nla_data(nfula[NFULA_CFG_NLBUFSIZ]); |
| 840 | 832 | ||
| 833 | if (!inst) { | ||
| 834 | ret = -ENODEV; | ||
| 835 | goto out; | ||
| 836 | } | ||
| 841 | nfulnl_set_nlbufsiz(inst, ntohl(nlbufsiz)); | 837 | nfulnl_set_nlbufsiz(inst, ntohl(nlbufsiz)); |
| 842 | } | 838 | } |
| 843 | 839 | ||
| @@ -845,12 +841,21 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb, | |||
| 845 | __be32 qthresh = | 841 | __be32 qthresh = |
| 846 | *(__be32 *)nla_data(nfula[NFULA_CFG_QTHRESH]); | 842 | *(__be32 *)nla_data(nfula[NFULA_CFG_QTHRESH]); |
| 847 | 843 | ||
| 844 | if (!inst) { | ||
| 845 | ret = -ENODEV; | ||
| 846 | goto out; | ||
| 847 | } | ||
| 848 | nfulnl_set_qthresh(inst, ntohl(qthresh)); | 848 | nfulnl_set_qthresh(inst, ntohl(qthresh)); |
| 849 | } | 849 | } |
| 850 | 850 | ||
| 851 | if (nfula[NFULA_CFG_FLAGS]) { | 851 | if (nfula[NFULA_CFG_FLAGS]) { |
| 852 | __be16 flags = | 852 | __be16 flags = |
| 853 | *(__be16 *)nla_data(nfula[NFULA_CFG_FLAGS]); | 853 | *(__be16 *)nla_data(nfula[NFULA_CFG_FLAGS]); |
| 854 | |||
| 855 | if (!inst) { | ||
| 856 | ret = -ENODEV; | ||
| 857 | goto out; | ||
| 858 | } | ||
| 854 | nfulnl_set_flags(inst, ntohs(flags)); | 859 | nfulnl_set_flags(inst, ntohs(flags)); |
| 855 | } | 860 | } |
| 856 | 861 | ||