diff options
| author | Dmitry Mishin <dim@openvz.org> | 2006-10-30 18:14:27 -0500 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2006-10-30 18:24:47 -0500 |
| commit | 920b868ae1dfdac77c5e8c97e7067b23680f043e (patch) | |
| tree | cec854f186e6ac37ea0b599f34a44fbfe7d49d2c /net | |
| parent | c073e3fa8b7f9841aa6451885f135656d455f511 (diff) | |
[NETFILTER]: ip_tables: compat code module refcounting fix
This patch fixes bug in iptables modules refcounting on compat error way.
As we are getting modules in check_compat_entry_size_and_hooks(), in case of
later error, we should put them all in translate_compat_table(), not in the
compat_copy_entry_from_user() or compat_copy_match_from_user(), as it is now.
Signed-off-by: Dmitry Mishin <dim@openvz.org>
Acked-by: Vasily Averin <vvs@openvz.org>
Acked-by: Kirill Korotaev <dev@openvz.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/ipv4/netfilter/ip_tables.c | 36 |
1 files changed, 11 insertions, 25 deletions
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index 0f4835cf0e4d..8a455439b128 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c | |||
| @@ -1527,7 +1527,7 @@ cleanup_matches: | |||
| 1527 | 1527 | ||
| 1528 | static inline int compat_copy_match_from_user(struct ipt_entry_match *m, | 1528 | static inline int compat_copy_match_from_user(struct ipt_entry_match *m, |
| 1529 | void **dstptr, compat_uint_t *size, const char *name, | 1529 | void **dstptr, compat_uint_t *size, const char *name, |
| 1530 | const struct ipt_ip *ip, unsigned int hookmask, int *i) | 1530 | const struct ipt_ip *ip, unsigned int hookmask) |
| 1531 | { | 1531 | { |
| 1532 | struct ipt_entry_match *dm; | 1532 | struct ipt_entry_match *dm; |
| 1533 | struct ipt_match *match; | 1533 | struct ipt_match *match; |
| @@ -1540,22 +1540,13 @@ static inline int compat_copy_match_from_user(struct ipt_entry_match *m, | |||
| 1540 | ret = xt_check_match(match, AF_INET, dm->u.match_size - sizeof(*dm), | 1540 | ret = xt_check_match(match, AF_INET, dm->u.match_size - sizeof(*dm), |
| 1541 | name, hookmask, ip->proto, | 1541 | name, hookmask, ip->proto, |
| 1542 | ip->invflags & IPT_INV_PROTO); | 1542 | ip->invflags & IPT_INV_PROTO); |
| 1543 | if (ret) | 1543 | if (!ret && m->u.kernel.match->checkentry |
| 1544 | goto err; | ||
| 1545 | |||
| 1546 | if (m->u.kernel.match->checkentry | ||
| 1547 | && !m->u.kernel.match->checkentry(name, ip, match, dm->data, | 1544 | && !m->u.kernel.match->checkentry(name, ip, match, dm->data, |
| 1548 | hookmask)) { | 1545 | hookmask)) { |
| 1549 | duprintf("ip_tables: check failed for `%s'.\n", | 1546 | duprintf("ip_tables: check failed for `%s'.\n", |
| 1550 | m->u.kernel.match->name); | 1547 | m->u.kernel.match->name); |
| 1551 | ret = -EINVAL; | 1548 | ret = -EINVAL; |
| 1552 | goto err; | ||
| 1553 | } | 1549 | } |
| 1554 | (*i)++; | ||
| 1555 | return 0; | ||
| 1556 | |||
| 1557 | err: | ||
| 1558 | module_put(m->u.kernel.match->me); | ||
| 1559 | return ret; | 1550 | return ret; |
| 1560 | } | 1551 | } |
| 1561 | 1552 | ||
| @@ -1567,19 +1558,18 @@ static int compat_copy_entry_from_user(struct ipt_entry *e, void **dstptr, | |||
| 1567 | struct ipt_target *target; | 1558 | struct ipt_target *target; |
| 1568 | struct ipt_entry *de; | 1559 | struct ipt_entry *de; |
| 1569 | unsigned int origsize; | 1560 | unsigned int origsize; |
| 1570 | int ret, h, j; | 1561 | int ret, h; |
| 1571 | 1562 | ||
| 1572 | ret = 0; | 1563 | ret = 0; |
| 1573 | origsize = *size; | 1564 | origsize = *size; |
| 1574 | de = (struct ipt_entry *)*dstptr; | 1565 | de = (struct ipt_entry *)*dstptr; |
| 1575 | memcpy(de, e, sizeof(struct ipt_entry)); | 1566 | memcpy(de, e, sizeof(struct ipt_entry)); |
| 1576 | 1567 | ||
| 1577 | j = 0; | ||
| 1578 | *dstptr += sizeof(struct compat_ipt_entry); | 1568 | *dstptr += sizeof(struct compat_ipt_entry); |
| 1579 | ret = IPT_MATCH_ITERATE(e, compat_copy_match_from_user, dstptr, size, | 1569 | ret = IPT_MATCH_ITERATE(e, compat_copy_match_from_user, dstptr, size, |
| 1580 | name, &de->ip, de->comefrom, &j); | 1570 | name, &de->ip, de->comefrom); |
| 1581 | if (ret) | 1571 | if (ret) |
| 1582 | goto cleanup_matches; | 1572 | goto err; |
| 1583 | de->target_offset = e->target_offset - (origsize - *size); | 1573 | de->target_offset = e->target_offset - (origsize - *size); |
| 1584 | t = ipt_get_target(e); | 1574 | t = ipt_get_target(e); |
| 1585 | target = t->u.kernel.target; | 1575 | target = t->u.kernel.target; |
| @@ -1613,12 +1603,7 @@ static int compat_copy_entry_from_user(struct ipt_entry *e, void **dstptr, | |||
| 1613 | goto err; | 1603 | goto err; |
| 1614 | } | 1604 | } |
| 1615 | ret = 0; | 1605 | ret = 0; |
| 1616 | return ret; | ||
| 1617 | |||
| 1618 | err: | 1606 | err: |
| 1619 | module_put(t->u.kernel.target->me); | ||
| 1620 | cleanup_matches: | ||
| 1621 | IPT_MATCH_ITERATE(e, cleanup_match, &j); | ||
| 1622 | return ret; | 1607 | return ret; |
| 1623 | } | 1608 | } |
| 1624 | 1609 | ||
| @@ -1632,7 +1617,7 @@ translate_compat_table(const char *name, | |||
| 1632 | unsigned int *hook_entries, | 1617 | unsigned int *hook_entries, |
| 1633 | unsigned int *underflows) | 1618 | unsigned int *underflows) |
| 1634 | { | 1619 | { |
| 1635 | unsigned int i; | 1620 | unsigned int i, j; |
| 1636 | struct xt_table_info *newinfo, *info; | 1621 | struct xt_table_info *newinfo, *info; |
| 1637 | void *pos, *entry0, *entry1; | 1622 | void *pos, *entry0, *entry1; |
| 1638 | unsigned int size; | 1623 | unsigned int size; |
| @@ -1650,21 +1635,21 @@ translate_compat_table(const char *name, | |||
| 1650 | } | 1635 | } |
| 1651 | 1636 | ||
| 1652 | duprintf("translate_compat_table: size %u\n", info->size); | 1637 | duprintf("translate_compat_table: size %u\n", info->size); |
| 1653 | i = 0; | 1638 | j = 0; |
| 1654 | xt_compat_lock(AF_INET); | 1639 | xt_compat_lock(AF_INET); |
| 1655 | /* Walk through entries, checking offsets. */ | 1640 | /* Walk through entries, checking offsets. */ |
| 1656 | ret = IPT_ENTRY_ITERATE(entry0, total_size, | 1641 | ret = IPT_ENTRY_ITERATE(entry0, total_size, |
| 1657 | check_compat_entry_size_and_hooks, | 1642 | check_compat_entry_size_and_hooks, |
| 1658 | info, &size, entry0, | 1643 | info, &size, entry0, |
| 1659 | entry0 + total_size, | 1644 | entry0 + total_size, |
| 1660 | hook_entries, underflows, &i, name); | 1645 | hook_entries, underflows, &j, name); |
| 1661 | if (ret != 0) | 1646 | if (ret != 0) |
| 1662 | goto out_unlock; | 1647 | goto out_unlock; |
| 1663 | 1648 | ||
| 1664 | ret = -EINVAL; | 1649 | ret = -EINVAL; |
| 1665 | if (i != number) { | 1650 | if (j != number) { |
| 1666 | duprintf("translate_compat_table: %u not %u entries\n", | 1651 | duprintf("translate_compat_table: %u not %u entries\n", |
| 1667 | i, number); | 1652 | j, number); |
| 1668 | goto out_unlock; | 1653 | goto out_unlock; |
| 1669 | } | 1654 | } |
| 1670 | 1655 | ||
| @@ -1723,6 +1708,7 @@ translate_compat_table(const char *name, | |||
| 1723 | free_newinfo: | 1708 | free_newinfo: |
| 1724 | xt_free_table_info(newinfo); | 1709 | xt_free_table_info(newinfo); |
| 1725 | out: | 1710 | out: |
| 1711 | IPT_ENTRY_ITERATE(entry0, total_size, cleanup_entry, &j); | ||
| 1726 | return ret; | 1712 | return ret; |
| 1727 | out_unlock: | 1713 | out_unlock: |
| 1728 | compat_flush_offsets(); | 1714 | compat_flush_offsets(); |