netfilter: nf_tables: do not allow RULE_ID to refer to another chain

author Thadeu Lima de Souza Cascardo <cascardo@canonical.com>

Tue, 9 Aug 2022 17:01:48 +0000 (14:01 -0300)

committer Pablo Neira Ayuso <pablo@netfilter.org>

Tue, 9 Aug 2022 17:38:18 +0000 (19:38 +0200)
author Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Tue, 9 Aug 2022 17:01:48 +0000 (14:01 -0300)
committer Pablo Neira Ayuso <pablo@netfilter.org>
Tue, 9 Aug 2022 17:38:18 +0000 (19:38 +0200)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c

index 041accbaca328ded5b9899f77da494effac8f592..0c3c0523e5f293d9bcea985bca281c22f5cc7c81 100644 (file)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3373,6 +3373,7 @@ static int nft_table_validate(struct net *net, const struct nft_table *table)
  }
  
  static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
+                                            const struct nft_chain *chain,
                                              const struct nlattr *nla);
  
  #define NFT_RULE_MAXEXPRS      128
@@ -3461,7 +3462,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
                                 return PTR_ERR(old_rule);
                         }
                 } else if (nla[NFTA_RULE_POSITION_ID]) {
-                       old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
+                       old_rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_POSITION_ID]);
                         if (IS_ERR(old_rule)) {
                                 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
                                 return PTR_ERR(old_rule);
@@ -3606,6 +3607,7 @@ err_release_expr:
  }
  
  static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
+                                            const struct nft_chain *chain,
                                              const struct nlattr *nla)
  {
         struct nftables_pernet *nft_net = nft_pernet(net);
@@ -3616,6 +3618,7 @@ static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
                 struct nft_rule *rule = nft_trans_rule(trans);
  
                 if (trans->msg_type == NFT_MSG_NEWRULE &&
+                   trans->ctx.chain == chain &&
                     id == nft_trans_rule_id(trans))
                         return rule;
         }
@@ -3665,7 +3668,7 @@ static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info,
  
                         err = nft_delrule(&ctx, rule);
                 } else if (nla[NFTA_RULE_ID]) {
-                       rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
+                       rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]);
                         if (IS_ERR(rule)) {
                                 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
                                 return PTR_ERR(rule);
author	Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
	Tue, 9 Aug 2022 17:01:48 +0000 (14:01 -0300)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Tue, 9 Aug 2022 17:38:18 +0000 (19:38 +0200)