netfilter: nf_tables: Add null check for nla_nest_start_noflag() in nft_dump_basechain_hook()

The nla_nest_start_noflag() function may fail and return NULL; the return value needs to be checked. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE. Fixes: d54725cd11a5 ("netfilter: nf_tables: support for multiple devices per netdev hook") Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru> 2023-05-24 15:25:27 +0300
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2023-06-07 01:43:30 +0300
commit: bd058763a624a1fb5c20f3c46e632d623c043676 (patch)
tree: 272983a243df39fe80b3d6229eacd7c1bc7cb6e9 /net
parent: 9025944fddfed5966c8f102f1fe921ab3aee2c12 (diff)
download: linux-bd058763a624a1fb5c20f3c46e632d623c043676.tar.xz
1 files changed, 2 insertions, 0 deletions
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index dc5675962de4..3445b8e1f462 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1600,6 +1600,8 @@ static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
 
 	if (nft_base_chain_netdev(family, ops->hooknum)) {
 		nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
+		if (!nest_devs)
+			goto nla_put_failure;
 
 		if (!hook_list)
 			hook_list = &basechain->hook_list;
author	Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>	2023-05-24 15:25:27 +0300
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2023-06-07 01:43:30 +0300
commit	bd058763a624a1fb5c20f3c46e632d623c043676 (patch)
tree	272983a243df39fe80b3d6229eacd7c1bc7cb6e9 /net
parent	9025944fddfed5966c8f102f1fe921ab3aee2c12 (diff)
download	linux-bd058763a624a1fb5c20f3c46e632d623c043676.tar.xz