diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-12-07 00:09:14 +0300 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-12-09 15:14:03 +0300 |
commit | 0d2c96af797ba149e559c5875c0151384ab6dd14 (patch) | |
tree | f7bdfa04d63e35348b2b8160841518207119975b /net/netfilter/nft_cmp.c | |
parent | bffc124b6fe37d0ae9b428d104efb426403bb5c9 (diff) | |
download | linux-0d2c96af797ba149e559c5875c0151384ab6dd14.tar.xz |
netfilter: nf_tables: validate NFT_DATA_VALUE after nft_data_init()
Userspace might bogusly sent NFT_DATA_VERDICT in several netlink
attributes that assume NFT_DATA_VALUE. Moreover, make sure that error
path invokes nft_data_release() to decrement the reference count on the
chain object.
Fixes: 96518518cc41 ("netfilter: add nftables")
Fixes: 0f3cd9b36977 ("netfilter: nf_tables: add range expression")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter/nft_cmp.c')
-rw-r--r-- | net/netfilter/nft_cmp.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/net/netfilter/nft_cmp.c b/net/netfilter/nft_cmp.c index b8092069f868..8a28c127effc 100644 --- a/net/netfilter/nft_cmp.c +++ b/net/netfilter/nft_cmp.c @@ -81,6 +81,12 @@ static int nft_cmp_init(const struct nft_ctx *ctx, const struct nft_expr *expr, if (err < 0) return err; + if (desc.type != NFT_DATA_VALUE) { + err = -EINVAL; + nft_data_release(&priv->data, desc.type); + return err; + } + priv->sreg = nft_parse_register(tb[NFTA_CMP_SREG]); err = nft_validate_register_load(priv->sreg, desc.len); if (err < 0) |