git.baikalelectronics.ru Git - kernel.git/commit

author	Liping Zhang <liping.zhang@spreadtrum.com>
	Sun, 21 Aug 2016 17:02:18 +0000 (01:02 +0800)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Thu, 25 Aug 2016 10:55:34 +0000 (12:55 +0200)
commit	de091885e2c45b10ae8aafccf1173a50e316e29f
tree	5b44bf9b14d011a0072c609bec983b64ac52041d	tree \| snapshot
parent	eeda25a8482c16e574af65a341fd215cbdc193e5	commit \| diff

netfilter: nft_reject: restrict to INPUT/FORWARD/OUTPUT

After I add the nft rule "nft add rule filter prerouting reject
with tcp reset", kernel panic happened on my system:
  NULL pointer dereference at ...
  IP: [<ffffffff81b9db2f>] nf_send_reset+0xaf/0x400
  Call Trace:
  [<ffffffff81b9da80>] ? nf_reject_ip_tcphdr_get+0x160/0x160
  [<ffffffffa0928061>] nft_reject_ipv4_eval+0x61/0xb0 [nft_reject_ipv4]
  [<ffffffffa08e836a>] nft_do_chain+0x1fa/0x890 [nf_tables]
  [<ffffffffa08e8170>] ? __nft_trace_packet+0x170/0x170 [nf_tables]
  [<ffffffffa06e0900>] ? nf_ct_invert_tuple+0xb0/0xc0 [nf_conntrack]
  [<ffffffffa07224d4>] ? nf_nat_setup_info+0x5d4/0x650 [nf_nat]
  [...]

Because in the PREROUTING chain, routing information is not exist,
then we will dereference the NULL pointer and oops happen.

So we restrict reject expression to INPUT, FORWARD and OUTPUT chain.
This is consistent with iptables REJECT target.

Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/net/netfilter/nft_reject.h		diff \| blob \| history
net/ipv4/netfilter/nft_reject_ipv4.c		diff \| blob \| history
net/ipv6/netfilter/nft_reject_ipv6.c		diff \| blob \| history
net/netfilter/nft_reject.c		diff \| blob \| history
net/netfilter/nft_reject_inet.c		diff \| blob \| history