git.baikalelectronics.ru Git - kernel.git/commit

author	Liping Zhang <liping.zhang@spreadtrum.com>
	Sun, 21 Aug 2016 17:02:18 +0000 (01:02 +0800)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Thu, 25 Aug 2016 10:55:34 +0000 (12:55 +0200)
commit	841ab1875cece208c6f092e0c632525b9e556f66
tree	5b44bf9b14d011a0072c609bec983b64ac52041d	tree \| snapshot
parent	51848e2398c44605fba5c3ad9f71f1a05064711b	commit \| diff

netfilter: nft_reject: restrict to INPUT/FORWARD/OUTPUT

After I add the nft rule "nft add rule filter prerouting reject
with tcp reset", kernel panic happened on my system:
  NULL pointer dereference at ...
  IP: [<ffffffff81b9db2f>] nf_send_reset+0xaf/0x400
  Call Trace:
  [<ffffffff81b9da80>] ? nf_reject_ip_tcphdr_get+0x160/0x160
  [<ffffffffa0928061>] nft_reject_ipv4_eval+0x61/0xb0 [nft_reject_ipv4]
  [<ffffffffa08e836a>] nft_do_chain+0x1fa/0x890 [nf_tables]
  [<ffffffffa08e8170>] ? __nft_trace_packet+0x170/0x170 [nf_tables]
  [<ffffffffa06e0900>] ? nf_ct_invert_tuple+0xb0/0xc0 [nf_conntrack]
  [<ffffffffa07224d4>] ? nf_nat_setup_info+0x5d4/0x650 [nf_nat]
  [...]

Because in the PREROUTING chain, routing information is not exist,
then we will dereference the NULL pointer and oops happen.

So we restrict reject expression to INPUT, FORWARD and OUTPUT chain.
This is consistent with iptables REJECT target.

Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/net/netfilter/nft_reject.h		diff \| blob \| history
net/ipv4/netfilter/nft_reject_ipv4.c		diff \| blob \| history
net/ipv6/netfilter/nft_reject_ipv6.c		diff \| blob \| history
net/netfilter/nft_reject.c		diff \| blob \| history
net/netfilter/nft_reject_inet.c		diff \| blob \| history