Commit c0506365 authored by Patrick McHardy's avatar Patrick McHardy Committed by David S. Miller

[NETFILTER]: nfnetlink_log: fix checks in nfulnl_recv_config

Similar to the nfnetlink_queue fixes:

The peer_pid must be checked in all cases when a logging instance exists,
additionally we must check whether an instance exists before attempting
to configure it to avoid NULL ptr dereferences.
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent a7c42955
...@@ -753,9 +753,15 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb, ...@@ -753,9 +753,15 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
UDEBUG("entering for msg %u\n", NFNL_MSG_TYPE(nlh->nlmsg_type)); UDEBUG("entering for msg %u\n", NFNL_MSG_TYPE(nlh->nlmsg_type));
inst = instance_lookup_get(group_num); inst = instance_lookup_get(group_num);
if (inst && inst->peer_pid != NETLINK_CB(skb).pid) {
ret = -EPERM;
goto out_put;
}
if (nfula[NFULA_CFG_CMD]) { if (nfula[NFULA_CFG_CMD]) {
u_int8_t pf = nfmsg->nfgen_family; u_int8_t pf = nfmsg->nfgen_family;
struct nfulnl_msg_config_cmd *cmd; struct nfulnl_msg_config_cmd *cmd;
cmd = nla_data(nfula[NFULA_CFG_CMD]); cmd = nla_data(nfula[NFULA_CFG_CMD]);
UDEBUG("found CFG_CMD for\n"); UDEBUG("found CFG_CMD for\n");
...@@ -779,11 +785,6 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb, ...@@ -779,11 +785,6 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
goto out; goto out;
} }
if (inst->peer_pid != NETLINK_CB(skb).pid) {
ret = -EPERM;
goto out_put;
}
instance_destroy(inst); instance_destroy(inst);
goto out; goto out;
case NFULNL_CFG_CMD_PF_BIND: case NFULNL_CFG_CMD_PF_BIND:
...@@ -800,29 +801,16 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb, ...@@ -800,29 +801,16 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
ret = -EINVAL; ret = -EINVAL;
break; break;
} }
if (!inst)
goto out;
} else {
if (!inst) {
UDEBUG("no config command, and no instance for "
"group=%u pid=%u =>ENOENT\n",
group_num, NETLINK_CB(skb).pid);
ret = -ENOENT;
goto out;
}
if (inst->peer_pid != NETLINK_CB(skb).pid) {
UDEBUG("no config command, and wrong pid\n");
ret = -EPERM;
goto out_put;
}
} }
if (nfula[NFULA_CFG_MODE]) { if (nfula[NFULA_CFG_MODE]) {
struct nfulnl_msg_config_mode *params; struct nfulnl_msg_config_mode *params;
params = nla_data(nfula[NFULA_CFG_MODE]); params = nla_data(nfula[NFULA_CFG_MODE]);
if (!inst) {
ret = -ENODEV;
goto out;
}
nfulnl_set_mode(inst, params->copy_mode, nfulnl_set_mode(inst, params->copy_mode,
ntohl(params->copy_range)); ntohl(params->copy_range));
} }
...@@ -831,6 +819,10 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb, ...@@ -831,6 +819,10 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
__be32 timeout = __be32 timeout =
*(__be32 *)nla_data(nfula[NFULA_CFG_TIMEOUT]); *(__be32 *)nla_data(nfula[NFULA_CFG_TIMEOUT]);
if (!inst) {
ret = -ENODEV;
goto out;
}
nfulnl_set_timeout(inst, ntohl(timeout)); nfulnl_set_timeout(inst, ntohl(timeout));
} }
...@@ -838,6 +830,10 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb, ...@@ -838,6 +830,10 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
__be32 nlbufsiz = __be32 nlbufsiz =
*(__be32 *)nla_data(nfula[NFULA_CFG_NLBUFSIZ]); *(__be32 *)nla_data(nfula[NFULA_CFG_NLBUFSIZ]);
if (!inst) {
ret = -ENODEV;
goto out;
}
nfulnl_set_nlbufsiz(inst, ntohl(nlbufsiz)); nfulnl_set_nlbufsiz(inst, ntohl(nlbufsiz));
} }
...@@ -845,12 +841,21 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb, ...@@ -845,12 +841,21 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
__be32 qthresh = __be32 qthresh =
*(__be32 *)nla_data(nfula[NFULA_CFG_QTHRESH]); *(__be32 *)nla_data(nfula[NFULA_CFG_QTHRESH]);
if (!inst) {
ret = -ENODEV;
goto out;
}
nfulnl_set_qthresh(inst, ntohl(qthresh)); nfulnl_set_qthresh(inst, ntohl(qthresh));
} }
if (nfula[NFULA_CFG_FLAGS]) { if (nfula[NFULA_CFG_FLAGS]) {
__be16 flags = __be16 flags =
*(__be16 *)nla_data(nfula[NFULA_CFG_FLAGS]); *(__be16 *)nla_data(nfula[NFULA_CFG_FLAGS]);
if (!inst) {
ret = -ENODEV;
goto out;
}
nfulnl_set_flags(inst, ntohs(flags)); nfulnl_set_flags(inst, ntohs(flags));
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment