iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

netfilter: nf_tables: validate chain type update if available

Browse Source 
[ Upstream commit aaba7ddc8507f4ad5bbd07988573967632bc2385 ]

Parse netlink attribute containing the chain type in this update, to
bail out if this is different from the existing type.

Otherwise, it is possible to define a chain with the same name, hook and
priority but different type, which is silently ignored.

Fixes: 96518518cc41 ("netfilter: add nftables")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Pablo Neira Ayuso 2023-12-14 22:43:22 +01:00 committed by Greg Kroah-Hartman
parent f5ab4e73c9
commit f1ee0ffbc0
1 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
net/netfilter/nf_tables_api.c
View File

@ -2263,7 +2263,16 @@ static int nft_chain_parse_hook(struct net *net,
return -EOPNOTSUPP;
}
type = basechain->type;
if (nla[NFTA_CHAIN_TYPE]) {
type = __nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE],
family);
if (!type) {
NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
return -ENOENT;
}
} else {
type = basechain->type;
}
}
if (!try_module_get(type->owner)) {