Commit 4f8a881a authored by Xin Long's avatar Xin Long Committed by David S. Miller

net: sched: fix NULL pointer dereference when action calls some targets

As we know in some target's checkentry it may dereference par.entryinfo
to check entry stuff inside. But when sched action calls xt_check_target,
par.entryinfo is set with NULL. It would cause kernel panic when calling
some targets.

It can be reproduce with:
  # tc qd add dev eth1 ingress handle ffff:
  # tc filter add dev eth1 parent ffff: u32 match u32 0 0 action xt \
    -j ECN --ecn-tcp-remove

It could also crash kernel when using target CLUSTERIP or TPROXY.

By now there's no proper value for par.entryinfo in ipt_init_target,
but it can not be set with NULL. This patch is to void all these
panics by setting it with an ipt_entry obj with all members = 0.

Note that this issue has been there since the very beginning.
Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
Acked-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 9a19bad7
...@@ -41,6 +41,7 @@ static int ipt_init_target(struct net *net, struct xt_entry_target *t, ...@@ -41,6 +41,7 @@ static int ipt_init_target(struct net *net, struct xt_entry_target *t,
{ {
struct xt_tgchk_param par; struct xt_tgchk_param par;
struct xt_target *target; struct xt_target *target;
struct ipt_entry e = {};
int ret = 0; int ret = 0;
target = xt_request_find_target(AF_INET, t->u.user.name, target = xt_request_find_target(AF_INET, t->u.user.name,
...@@ -52,6 +53,7 @@ static int ipt_init_target(struct net *net, struct xt_entry_target *t, ...@@ -52,6 +53,7 @@ static int ipt_init_target(struct net *net, struct xt_entry_target *t,
memset(&par, 0, sizeof(par)); memset(&par, 0, sizeof(par));
par.net = net; par.net = net;
par.table = table; par.table = table;
par.entryinfo = &e;
par.target = target; par.target = target;
par.targinfo = t->data; par.targinfo = t->data;
par.hook_mask = hook; par.hook_mask = hook;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment