netfilter: xtables: ignore unassigned hooks in check_entry_size_and_hooks

The "hook_entry" and "underflow" array contains values even for hooks
not provided, such as PREROUTING in conjunction with the "filter"
table. Usually, the values point to whatever the next rule is. For
the upcoming unconditionality and underflow checking patches however,
we must not inspect that arbitrary rule.

Skipping unassigned hooks seems like a good idea, also because
newinfo->hook_entry and newinfo->underflow will then continue to have
the poison value for detecting abnormalities.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

1 files changed, 4 insertions, 1 deletions

diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 1389ad904bc3..8e4921a937ff 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -747,6 +747,7 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
                            unsigned char *limit,
                            const unsigned int *hook_entries,
                            const unsigned int *underflows,
+                           unsigned int valid_hooks,
                            unsigned int *i)
 {
         unsigned int h;
@@ -766,6 +767,8 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
 
         /* Check hooks & underflows */
         for (h = 0; h < NF_INET_NUMHOOKS; h++) {
+                if (!(valid_hooks & (1 << h)))
+                        continue;
                 if ((unsigned char *)e - base == hook_entries[h])
                         newinfo->hook_entry[h] = hook_entries[h];
                 if ((unsigned char *)e - base == underflows[h])
@@ -837,7 +840,7 @@ translate_table(const char *name,
                                 newinfo,
                                 entry0,
                                 entry0 + size,
-                                hook_entries, underflows, &i);
+                                hook_entries, underflows, valid_hooks, &i);
         if (ret != 0)
                 return ret;