Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf
Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for net: 1) Harden set element field checks to avoid out-of-bound memory access, this patch also fixes the type of issue described in 7e6bc1f6 ("netfilter: nf_tables: stricter validation of element data") in a broader way. 2) Patches to restrict the chain, set, and rule id lookup in the transaction to the corresponding top-level table, patches from Thadeu Lima de Souza Cascardo. 3) Fix incorrect comment in ip6t_LOG.h 4) nft_data_init() performs upfront validation of the expected data. struct nft_data_desc is used to describe the expected data to be received from userspace. The .size field represents the maximum size that can be stored, for bound checks. Then, .len is an input/output field which stores the expected length as input (this is optional, to restrict the checks), as output it stores the real length received from userspace (if it was not specified as input). This patch comes in response to 7e6bc1f6 ("netfilter: nf_tables: stricter validation of element data") to address this type of issue in a more generic way by avoid opencoded data validation. Next patch requires this as a dependency. 5) Disallow jump to implicit chain from set element, this configuration is invalid. Only allow jump to chain via immediate expression is supported at this stage. 6) Fix possible null-pointer derefence in the error path of table updates, if memory allocation of the transaction fails. From Florian Westphal. * git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: nf_tables: fix null deref due to zeroed list head netfilter: nf_tables: disallow jump to implicit chain from set element netfilter: nf_tables: upfront validation of data via nft_data_init() netfilter: ip6t_LOG: Fix a typo in a comment netfilter: nf_tables: do not allow RULE_ID to refer to another chain netfilter: nf_tables: do not allow CHAIN_ID to refer to another table netfilter: nf_tables: do not allow SET_ID to refer to another table netfilter: nf_tables: validate variable length element extension ==================== Link: https://lore.kernel.org/r/20220809220532.130240-1-pablo@netfilter.org/Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Showing
This diff is collapsed.
Please register or sign in to comment