Skip to content

Commit a3c8e7f

Browse files
kaberdavem330
kaber
authored and
davem330
committed
[NETFILTER]: nfnetlink_queue: fix checks in nfqnl_recv_config
The peer_pid must be checked in all cases when a queue exists, currently it is not checked if for NFQA_CFG_QUEUE_MAXLEN when a NFQA_CFG_CMD attribute exists in some cases. Same for the queue existance check, which can cause a NULL pointer dereference. Also consistently return -ENODEV for "queue not found". -ENOENT would be better, but that is already used to indicate a queued skb id doesn't exist. Signed-off-by: Patrick McHardy <[email protected]> Signed-off-by: David S. Miller <[email protected]>
1 parent e48b9b2 commit a3c8e7f

File tree

1 file changed

+12
-19
lines changed

1 file changed

+12
-19
lines changed

net/netfilter/nfnetlink_queue.c

Lines changed: 12 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -781,8 +781,14 @@ nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
781781
QDEBUG("entering for msg %u\n", NFNL_MSG_TYPE(nlh->nlmsg_type));
782782

783783
queue = instance_lookup_get(queue_num);
784+
if (queue && queue->peer_pid != NETLINK_CB(skb).pid) {
785+
ret = -EPERM;
786+
goto out_put;
787+
}
788+
784789
if (nfqa[NFQA_CFG_CMD]) {
785790
struct nfqnl_msg_config_cmd *cmd;
791+
786792
cmd = nla_data(nfqa[NFQA_CFG_CMD]);
787793
QDEBUG("found CFG_CMD\n");
788794

@@ -798,12 +804,6 @@ nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
798804
case NFQNL_CFG_CMD_UNBIND:
799805
if (!queue)
800806
return -ENODEV;
801-
802-
if (queue->peer_pid != NETLINK_CB(skb).pid) {
803-
ret = -EPERM;
804-
goto out_put;
805-
}
806-
807807
instance_destroy(queue);
808808
break;
809809
case NFQNL_CFG_CMD_PF_BIND:
@@ -820,25 +820,13 @@ nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
820820
ret = -EINVAL;
821821
break;
822822
}
823-
} else {
824-
if (!queue) {
825-
QDEBUG("no config command, and no instance ENOENT\n");
826-
ret = -ENOENT;
827-
goto out_put;
828-
}
829-
830-
if (queue->peer_pid != NETLINK_CB(skb).pid) {
831-
QDEBUG("no config command, and wrong pid\n");
832-
ret = -EPERM;
833-
goto out_put;
834-
}
835823
}
836824

837825
if (nfqa[NFQA_CFG_PARAMS]) {
838826
struct nfqnl_msg_config_params *params;
839827

840828
if (!queue) {
841-
ret = -ENOENT;
829+
ret = -ENODEV;
842830
goto out_put;
843831
}
844832
params = nla_data(nfqa[NFQA_CFG_PARAMS]);
@@ -848,6 +836,11 @@ nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
848836

849837
if (nfqa[NFQA_CFG_QUEUE_MAXLEN]) {
850838
__be32 *queue_maxlen;
839+
840+
if (!queue) {
841+
ret = -ENODEV;
842+
goto out_put;
843+
}
851844
queue_maxlen = nla_data(nfqa[NFQA_CFG_QUEUE_MAXLEN]);
852845
spin_lock_bh(&queue->lock);
853846
queue->queue_maxlen = ntohl(*queue_maxlen);

0 commit comments

Comments
 (0)