netfilter: xtables: check for unconditionality of policies

This adds a check that iptables's original author Rusty set forth in
a FIXME comment.

Underflows in iptables are better known as chain policies, and are
required to be unconditional or there would be a stochastical chance
for the policy rule to be skipped if it does not match. If that were
to happen, rule execution would continue in an unexpected spurious
fashion.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

1 files changed, 7 insertions, 5 deletions

diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 8e4921a937ff..b0599b98d1b6 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -8,7 +8,7 @@
  * it under the terms of the GNU General Public License version 2 as
  * published by the Free Software Foundation.
  */
-
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/capability.h>
 #include <linux/in.h>
 #include <linux/skbuff.h>
@@ -771,13 +771,15 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
                         continue;
                 if ((unsigned char *)e - base == hook_entries[h])
                         newinfo->hook_entry[h] = hook_entries[h];
-                if ((unsigned char *)e - base == underflows[h])
+                if ((unsigned char *)e - base == underflows[h]) {
+                        if (!unconditional(&e->ipv6)) {
+                                pr_err("Underflows must be unconditional\n");
+                                return -EINVAL;
+                        }
                         newinfo->underflow[h] = underflows[h];
+                }
         }
 
-        /* FIXME: underflows must be unconditional, standard verdicts
-           < 0 (not IP6T_RETURN). --RR */
-
         /* Clear counters and comefrom */
         e->counters = ((struct xt_counters) { 0, 0 });
         e->comefrom = 0;