netfilter pull request 24-07-31

-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEN9lkrMBJgcdVAPub1V2XiooUIOQFAmaqq6cACgkQ1V2XiooU IOR9fg//Zb6OdwN7+mC8xeR+1nj1mOBiyaTvldLKR/Y2SS2bYX7zlSH/98RQo80f d5gogzAhbg/Rpy0hul0ZffPjdxo4X1Mr14YjGHRLRW2v6Xe1hNrl38Y+YLiSaJi2 jJpnWlbW/VS6CY16ETZEuEE+tGyPC920aTpMgRLdFODWiSJtGz/YR+2nonW7yYc5 joOS64liAV1ZIXUlkrcipMwgLlYQyUntREvrwmuESMP5pLzQR7x4csUSu3OqZc8L PJ/0vLj24w1LSlCowpkHK4bB+fyXYru5mDspebFOvFFdOmA+oWKS3KCrbZc8loaR Gs667lkk5KAyu45Smro0TAJLfzZdh+xEps0Va2+ZY/ZfrH16QDmJjkbNcGAFLf5W pweViM2DxmW4PnbCzxD1ZUtCcPdMjS6i/aIz+nQRUJF4Wy+irrxATRcUAxQaVXmD szrPBLxka44GhtvgSfKdOlBn49ytT5ZBfy+vIf+N53obIYHL+onVoEsLfck0Ps3Y sLvRQ9WBuDgnzhSqwE4Fg9Y3HsZrUOw/fo+9nTH4EHIREpUJJvHFirnfR1umkkoj oBRplQmT7ULe0TVicRxtsluSEIpeWNogig/RgO6272e14/+AieFTZ5Q2WIWrjqnN /Vc8GMq8+5cbSKm029drGlEv1+ZjZo2LTZGGvrrF4woYBWa/xbE= =dTVS -----END PGP SIGNATURE----- Merge tag 'nf-24-07-31' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for net: Fix a possible null-ptr-deref sometimes triggered by iptables-restore at boot time. Register iptables {ipv4,ipv6} nat table pernet in first place to fix this issue. Patch #1 and #2 from Kuniyuki Iwashima. netfilter pull request 24-07-31 * tag 'nf-24-07-31' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: iptables: Fix potential null-ptr-deref in ip6table_nat_table_init(). netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init(). ==================== Link: https://patch.msgid.link/20240731213046.6194-1-pablo@netfilter.org Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2024-08-01 12:08:28 +02:00 · 2024-08-01 12:08:28 +02:00 · 2b4a32daa6
commit 2b4a32daa6
parent a46c68debf c22921df77
2 changed files with 19 additions and 13 deletions
--- a/net/ipv4/netfilter/iptable_nat.c
+++ b/net/ipv4/netfilter/iptable_nat.c
@ -145,25 +145,27 @@ static struct pernet_operations iptable_nat_net_ops = {
 static int __init iptable_nat_init(void)
 {
-	int ret = xt_register_template(&nf_nat_ipv4_table,
+	int ret;
 				       iptable_nat_table_init);
 	/* net->gen->ptr[iptable_nat_net_id] must be allocated
 	 * before calling iptable_nat_table_init().
 	 */
 	ret = register_pernet_subsys(&iptable_nat_net_ops);
 	if (ret < 0)
 		return ret;
-	ret = register_pernet_subsys(&iptable_nat_net_ops);
+	ret = xt_register_template(&nf_nat_ipv4_table,
-	if (ret < 0) {
+				   iptable_nat_table_init);
-		xt_unregister_template(&nf_nat_ipv4_table);
+	if (ret < 0)
-		return ret;
+		unregister_pernet_subsys(&iptable_nat_net_ops);
 	}
 	return ret;
 }
 static void __exit iptable_nat_exit(void)
 {
 	unregister_pernet_subsys(&iptable_nat_net_ops);
 	xt_unregister_template(&nf_nat_ipv4_table);
 	unregister_pernet_subsys(&iptable_nat_net_ops);
 }
 module_init(iptable_nat_init);
--- a/net/ipv6/netfilter/ip6table_nat.c
+++ b/net/ipv6/netfilter/ip6table_nat.c
@ -147,23 +147,27 @@ static struct pernet_operations ip6table_nat_net_ops = {
 static int __init ip6table_nat_init(void)
 {
-	int ret = xt_register_template(&nf_nat_ipv6_table,
+	int ret;
 				       ip6table_nat_table_init);
 	/* net->gen->ptr[ip6table_nat_net_id] must be allocated
 	 * before calling ip6t_nat_register_lookups().
 	 */
 	ret = register_pernet_subsys(&ip6table_nat_net_ops);
 	if (ret < 0)
 		return ret;
-	ret = register_pernet_subsys(&ip6table_nat_net_ops);
+	ret = xt_register_template(&nf_nat_ipv6_table,
 				   ip6table_nat_table_init);
 	if (ret)
-		xt_unregister_template(&nf_nat_ipv6_table);
+		unregister_pernet_subsys(&ip6table_nat_net_ops);
 	return ret;
 }
 static void __exit ip6table_nat_exit(void)
 {
 	unregister_pernet_subsys(&ip6table_nat_net_ops);
 	xt_unregister_template(&nf_nat_ipv6_table);
 	unregister_pernet_subsys(&ip6table_nat_net_ops);
 }
 module_init(ip6table_nat_init);