Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-15 08:31:55 +00:00
Code Issues Packages Projects Releases Wiki Activity
94f9cd8143
linux/net/netfilter
History
Munehisa Kamata 94f9cd8143 netfilter: nf_nat_redirect: add missing NULL pointer check 
Commit 8b13eddfdf ("netfilter: refactor NAT
redirect IPv4 to use it from nf_tables") has introduced a trivial logic
change which can result in the following crash.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
IP: [<ffffffffa033002d>] nf_nat_redirect_ipv4+0x2d/0xa0 [nf_nat_redirect]
PGD 3ba662067 PUD 3ba661067 PMD 0
Oops: 0000 [#1] SMP
Modules linked in: ipv6(E) xt_REDIRECT(E) nf_nat_redirect(E) xt_tcpudp(E) iptable_nat(E) nf_conntrack_ipv4(E) nf_defrag_ipv4(E) nf_nat_ipv4(E) nf_nat(E) nf_conntrack(E) ip_tables(E) x_tables(E) binfmt_misc(E) xfs(E) libcrc32c(E) evbug(E) evdev(E) psmouse(E) i2c_piix4(E) i2c_core(E) acpi_cpufreq(E) button(E) ext4(E) crc16(E) jbd2(E) mbcache(E) dm_mirror(E) dm_region_hash(E) dm_log(E) dm_mod(E)
CPU: 0 PID: 2536 Comm: ip Tainted: G            E   4.1.7-15.23.amzn1.x86_64 #1
Hardware name: Xen HVM domU, BIOS 4.2.amazon 05/06/2015
task: ffff8800eb438000 ti: ffff8803ba664000 task.ti: ffff8803ba664000
[...]
Call Trace:
 <IRQ>
 [<ffffffffa0334065>] redirect_tg4+0x15/0x20 [xt_REDIRECT]
 [<ffffffffa02e2e99>] ipt_do_table+0x2b9/0x5e1 [ip_tables]
 [<ffffffffa0328045>] iptable_nat_do_chain+0x25/0x30 [iptable_nat]
 [<ffffffffa031777d>] nf_nat_ipv4_fn+0x13d/0x1f0 [nf_nat_ipv4]
 [<ffffffffa0328020>] ? iptable_nat_ipv4_fn+0x20/0x20 [iptable_nat]
 [<ffffffffa031785e>] nf_nat_ipv4_in+0x2e/0x90 [nf_nat_ipv4]
 [<ffffffffa03280a5>] iptable_nat_ipv4_in+0x15/0x20 [iptable_nat]
 [<ffffffff81449137>] nf_iterate+0x57/0x80
 [<ffffffff814491f7>] nf_hook_slow+0x97/0x100
 [<ffffffff814504d4>] ip_rcv+0x314/0x400

unsigned int
nf_nat_redirect_ipv4(struct sk_buff *skb,
...
{
...
		rcu_read_lock();
		indev = __in_dev_get_rcu(skb->dev);
		if (indev != NULL) {
			ifa = indev->ifa_list;
			newdst = ifa->ifa_local; <---
		}
		rcu_read_unlock();
...
}

Before the commit, 'ifa' had been always checked before access. After the
commit, however, it could be accessed even if it's NULL. Interestingly,
this was once fixed in 2003.

http://marc.info/?l=netfilter-devel&m=106668497403047&w=2

In addition to the original one, we have seen the crash when packets that
need to be redirected somehow arrive on an interface which hasn't been
yet fully configured.

This change just reverts the logic to the old behavior to avoid the crash.

Fixes: 8b13eddfdf ("netfilter: refactor NAT redirect IPv4 to use it from nf_tables")
Signed-off-by: Munehisa Kamata <kamatam@amazon.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-10-27 06:54:56 +01:00
..
ipset netfilter: ipset: Fix sleeping memory allocation in atomic context 2015-10-17 13:01:24 +02:00
ipvs ipvs: add more mcast parameters for the sync daemon 2015-08-21 09:10:11 -07:00
core.c netfilter: sync with packet rx also after removing queue entries 2015-10-13 13:59:56 +02:00
Kconfig netfilter: factor out packet duplication for IPv4/IPv6 2015-08-07 11:49:49 +02:00
Makefile netfilter: nf_tables: add netdev table to filter from ingress 2015-05-26 18:41:23 +02:00
nf_conntrack_acct.c netfilter: Remove uses of seq_<foo> return values 2015-03-18 10:51:35 +01:00
nf_conntrack_amanda.c net: Remove state argument from skb_find_text() 2015-02-22 15:59:54 -05:00
nf_conntrack_broadcast.c
nf_conntrack_core.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2015-09-05 21:57:42 -07:00
nf_conntrack_ecache.c netfilter: conntrack: remove timer from ecache extension 2014-06-25 19:15:38 +02:00
nf_conntrack_expect.c netfilter: nf_conntrack: add direction support for zones 2015-08-18 01:22:50 +02:00
nf_conntrack_extend.c
nf_conntrack_ftp.c netfilter: replace strnicmp with strncasecmp 2014-10-14 02:18:24 +02:00
nf_conntrack_h323_asn1.c
nf_conntrack_h323_main.c ipv6: Remove external dependency on rt6i_gateway and RTF_ANYCAST 2015-05-25 13:25:33 -04:00
nf_conntrack_h323_types.c
nf_conntrack_helper.c netfilter: fix spelling errors 2014-10-30 17:35:30 +01:00
nf_conntrack_irc.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_l3proto_generic.c netfilter: Convert print_tuple functions to return void 2014-11-05 14:10:33 -05:00
nf_conntrack_labels.c netfilter: connlabels: Export setting connlabel length 2015-08-27 11:40:43 -07:00
nf_conntrack_netbios_ns.c
nf_conntrack_netlink.c netfilter: nf_conntrack: add efficient mark to zone mapping 2015-08-18 01:24:05 +02:00
nf_conntrack_pptp.c netfilter: nf_conntrack: push zone object into functions 2015-08-11 12:29:01 +02:00
nf_conntrack_proto_dccp.c netfilter: Convert print_tuple functions to return void 2014-11-05 14:10:33 -05:00
nf_conntrack_proto_generic.c netfilter: conntrack: warn the user if there is a better helper to use 2015-06-12 14:06:24 +02:00
nf_conntrack_proto_gre.c netfilter: Convert print_tuple functions to return void 2014-11-05 14:10:33 -05:00
nf_conntrack_proto_sctp.c netfilter: nf_ct_sctp: minimal multihoming support 2015-07-30 12:59:25 +02:00
nf_conntrack_proto_tcp.c conntrack: RFC5961 challenge ACK confuse conntrack LAST-ACK transition 2015-05-15 20:50:56 +02:00
nf_conntrack_proto_udp.c netfilter: Convert print_tuple functions to return void 2014-11-05 14:10:33 -05:00
nf_conntrack_proto_udplite.c netfilter: Convert print_tuple functions to return void 2014-11-05 14:10:33 -05:00
nf_conntrack_proto.c netfilter: nf_conntrack: remove dead code 2014-01-03 23:41:37 +01:00
nf_conntrack_sane.c netfilter: nf_ct_helper: better logging for dropped packets 2013-02-19 02:48:05 +01:00
nf_conntrack_seqadj.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
nf_conntrack_sip.c netfilter: replace strnicmp with strncasecmp 2014-10-14 02:18:24 +02:00
nf_conntrack_snmp.c netfilter: nf_ct_snmp: add include file 2013-01-18 00:28:18 +01:00
nf_conntrack_standalone.c netfilter: nf_conntrack: add direction support for zones 2015-08-18 01:22:50 +02:00
nf_conntrack_tftp.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_conntrack_timeout.c netfilter: nf_ct_timeout: move initialization out of pernet_operations 2013-01-23 12:56:02 +01:00
nf_conntrack_timestamp.c netfilter: nf_ct_timestamp: Fix BUG_ON after netns deletion 2013-12-20 14:58:29 +01:00
nf_internals.h netfilter: nf_queue: fix nf_queue_nf_hook_drop() 2015-07-23 16:17:58 +02:00
nf_log_common.c netfilter: bridge: add helpers for fetching physin/outdev 2015-04-08 16:49:08 +02:00
nf_log.c netfilter: nf_log: wait for rcu grace after logger unregistration 2015-09-17 13:37:31 +02:00
nf_nat_amanda.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_nat_core.c netfilter: nf_conntrack: add direction support for zones 2015-08-18 01:22:50 +02:00
nf_nat_ftp.c netfilter: nf_ct_helper: better logging for dropped packets 2013-02-19 02:48:05 +01:00
nf_nat_helper.c netfilter: nf_conntrack: make sequence number adjustments usuable without NAT 2013-08-28 00:26:48 +02:00
nf_nat_irc.c netfilter: nf_nat: fix access to uninitialized buffer in IRC NAT helper 2014-01-06 14:17:17 +01:00
nf_nat_proto_common.c netfilter: use IS_ENABLED() macro 2014-06-30 11:38:03 +02:00
nf_nat_proto_dccp.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
nf_nat_proto_sctp.c netfilter: use IS_ENABLED() macro 2014-06-30 11:38:03 +02:00
nf_nat_proto_tcp.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
nf_nat_proto_udp.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
nf_nat_proto_udplite.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
nf_nat_proto_unknown.c netfilter: add protocol independent NAT core 2012-08-30 03:00:14 +02:00
nf_nat_redirect.c netfilter: nf_nat_redirect: add missing NULL pointer check 2015-10-27 06:54:56 +01:00
nf_nat_sip.c netfilter: replace strnicmp with strncasecmp 2014-10-14 02:18:24 +02:00
nf_nat_tftp.c netfilter: nf_ct_helper: better logging for dropped packets 2013-02-19 02:48:05 +01:00
nf_queue.c netfilter: nf_queue: fix nf_queue_nf_hook_drop() 2015-07-23 16:17:58 +02:00
nf_sockopt.c netfilter: don't use mutex_lock_interruptible() 2014-08-08 16:47:23 +02:00
nf_synproxy_core.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2015-09-05 21:57:42 -07:00
nf_tables_api.c netfilter: nftables: Only run the nftables chains in the proper netns 2015-07-15 18:17:36 +02:00
nf_tables_core.c netfilter: nftables: Only run the nftables chains in the proper netns 2015-07-15 18:17:36 +02:00
nf_tables_inet.c netfilter: nf_tables: fix error path in the init functions 2014-01-09 23:25:48 +01:00
nf_tables_netdev.c netfilter: nf_tables_netdev: unregister hooks on net_device removal 2015-06-15 23:02:35 +02:00
nfnetlink_acct.c netfilter: nfacct: per network namespace support 2015-08-07 11:50:56 +02:00
nfnetlink_cthelper.c netfilter: Zero the tuple in nfnl_cthelper_parse_tuple() 2015-03-12 13:07:36 +01:00
nfnetlink_cttimeout.c netfilter: cttimeout: allow to set/get default protocol timeouts 2013-10-01 13:17:39 +02:00
nfnetlink_log.c netfilter: Kill unused copies of RCV_SKB_FAIL 2015-06-18 21:14:27 +02:00
nfnetlink_queue_core.c netlink, mmap: fix edge-case leakages in nf queue zero-copy 2015-09-09 21:43:22 -07:00
nfnetlink_queue_ct.c netfilter: nf_conntrack: make sequence number adjustments usuable without NAT 2013-08-28 00:26:48 +02:00
nfnetlink.c netfilter: nfnetlink: work around wrong endianess in res_id field 2015-08-29 01:02:35 +02:00
nft_bitwise.c netfilter: nf_tables: support variable sized data in nft_data_init() 2015-04-13 17:17:30 +02:00
nft_byteorder.c netfilter: nf_tables: switch registers to 32 bit addressing 2015-04-13 17:17:29 +02:00
nft_cmp.c netfilter: nf_tables: support variable sized data in nft_data_init() 2015-04-13 17:17:30 +02:00
nft_compat.c netfilter: nft_compat: skip family comparison in case of NFPROTO_UNSPEC 2015-09-14 18:10:57 +02:00
nft_counter.c netfilter: nft_counter: convert it to use per-cpu counters 2015-08-07 11:49:48 +02:00
nft_ct.c netfilter: nf_tables: switch registers to 32 bit addressing 2015-04-13 17:17:29 +02:00
nft_dynset.c netfilter: nft_dynset: dynamic stateful expression instantiation 2015-04-13 20:19:55 +02:00
nft_exthdr.c netfilter: nf_tables: switch registers to 32 bit addressing 2015-04-13 17:17:29 +02:00
nft_hash.c netfilter: nf_tables: variable sized set element keys / data 2015-04-13 17:17:31 +02:00
nft_immediate.c netfilter: nf_tables: support variable sized data in nft_data_init() 2015-04-13 17:17:30 +02:00
nft_limit.c netfilter: nft_limit: add per-byte limiting 2015-08-07 11:50:50 +02:00
nft_log.c netfilter: nf_tables: get rid of NFT_REG_VERDICT usage 2015-04-13 17:17:07 +02:00
nft_lookup.c netfilter: nf_tables: add flag to indicate set contains expressions 2015-04-13 20:12:32 +02:00
nft_masq.c netfilter: nf_tables: validate hooks in NAT expressions 2015-01-19 14:52:39 +01:00
nft_meta.c net: #ifdefify sk_classid member of struct sock 2015-07-21 16:04:30 -07:00
nft_nat.c netfilter: nf_tables: switch registers to 32 bit addressing 2015-04-13 17:17:29 +02:00
nft_payload.c netfilter: nft_payload: work around vlan header stripping 2015-08-19 08:39:53 +02:00
nft_queue.c netfilter: nf_tables: get rid of NFT_REG_VERDICT usage 2015-04-13 17:17:07 +02:00
nft_rbtree.c netfilter: nf_tables: variable sized set element keys / data 2015-04-13 17:17:31 +02:00
nft_redir.c netfilter: nf_tables: add register parsing/dumping helpers 2015-04-13 17:17:28 +02:00
nft_reject_inet.c netfilter; Add some missing default cases to switch statements in nft_reject. 2015-04-27 13:20:34 -04:00
nft_reject.c netfilter; Add some missing default cases to switch statements in nft_reject. 2015-04-27 13:20:34 -04:00
x_tables.c netfilter: add and use jump label for xt_tee 2015-07-15 18:18:06 +02:00
xt_addrtype.c ipv6: Remove external dependency on rt6i_gateway and RTF_ANYCAST 2015-05-25 13:25:33 -04:00
xt_AUDIT.c netfilter: Convert uses of __constant_<foo> to <foo> 2014-03-13 14:13:19 +01:00
xt_bpf.c net: filter: split 'struct sk_filter' into socket and bpf parts 2014-08-02 15:03:58 -07:00
xt_cgroup.c netfilter: x_tables: fix cgroup matching on non-full sks 2015-04-01 11:26:42 +02:00
xt_CHECKSUM.c
xt_CLASSIFY.c
xt_cluster.c net: use reciprocal_scale() helper 2014-08-23 12:21:21 -07:00
xt_comment.c
xt_connbytes.c netfilter: Convert pr_warning to pr_warn 2014-09-10 12:40:10 -07:00
xt_connlabel.c netfilter: connlabels: Export setting connlabel length 2015-08-27 11:40:43 -07:00
xt_connlimit.c netfilter: nf_conntrack: push zone object into functions 2015-08-11 12:29:01 +02:00
xt_connmark.c netfilter: Fix FSF address in file headers 2013-12-06 12:37:57 -05:00
xt_CONNSECMARK.c
xt_conntrack.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
xt_cpu.c
xt_CT.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2015-09-05 21:57:42 -07:00
xt_dccp.c
xt_devgroup.c
xt_dscp.c
xt_DSCP.c netfilter: fix various sparse warnings 2014-11-13 12:14:42 +01:00
xt_ecn.c
xt_esp.c
xt_hashlimit.c netfilter: Remove checks of seq_printf() return values 2014-11-05 14:11:02 -05:00
xt_helper.c
xt_hl.c
xt_HL.c
xt_HMARK.c net: use reciprocal_scale() helper 2014-08-23 12:21:21 -07:00
xt_IDLETIMER.c netfilter: IDLETIMER: fix lockdep warning 2015-07-13 17:23:25 +02:00
xt_ipcomp.c netfilter: xt_ipcomp: Use ntohs to ease sparse warning 2014-02-19 11:41:25 +01:00
xt_iprange.c
xt_ipvs.c ipvs: API change to avoid rescan of IPv6 exthdr 2012-09-28 11:34:33 +09:00
xt_l2tp.c netfilter: introduce l2tp match extension 2014-01-09 21:36:39 +01:00
xt_LED.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2014-08-05 18:46:26 -07:00
xt_length.c
xt_limit.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
xt_LOG.c netfilter: xt_LOG: add missing string format in nf_log_packet() 2014-06-28 18:50:35 +02:00
xt_mac.c
xt_mark.c netfilter: xt_MARK: Add ARP support 2015-05-14 13:00:27 +02:00
xt_multiport.c
xt_nat.c netfilter: xt_nat: fix incorrect hooks for SNAT and DNAT targets 2012-10-15 13:39:12 +02:00
xt_NETMAP.c netfilter: combine ipt_NETMAP and ip6t_NETMAP 2012-09-21 12:11:08 +02:00
xt_nfacct.c netfilter: nfacct: per network namespace support 2015-08-07 11:50:56 +02:00
xt_NFLOG.c netfilter: log: netns NULL ptr bug when calling from conntrack 2013-05-15 14:11:07 +02:00
xt_NFQUEUE.c netfilter: xt_NFQUEUE: separate reusable code 2013-12-07 23:20:45 +01:00
xt_osf.c netfilter: xt_osf: Use continue to reduce indentation 2014-12-23 14:20:10 +01:00
xt_owner.c userns: xt_owner: Add basic user namespace support. 2012-08-14 21:55:30 -07:00
xt_physdev.c netfilter: physdev: use helpers 2015-04-08 16:49:09 +02:00
xt_pkttype.c
xt_policy.c
xt_quota.c
xt_rateest.c net_sched: add 64bit rate estimators 2013-06-11 02:51:03 -07:00
xt_RATEEST.c net: sched: make bstats per cpu and estimator RCU safe 2014-09-30 01:02:26 -04:00
xt_realm.c
xt_recent.c netfilter: xt_recent: don't reject rule if new hitcount exceeds table max 2015-02-16 17:00:47 +01:00
xt_REDIRECT.c netfilter: combine IPv4 and IPv6 nf_nat_redirect code in one module 2014-11-27 13:08:42 +01:00
xt_repldata.h net: netfilter: LLVMLinux: vlais-netfilter 2014-06-07 11:44:39 -07:00
xt_sctp.c
xt_SECMARK.c
xt_set.c netfilter: ipset: Fix coding styles reported by checkpatch.pl 2015-06-14 10:40:18 +02:00
xt_socket.c netfilter: xt_socket: add XT_SOCKET_RESTORESKMARK flag 2015-06-18 13:05:09 +02:00
xt_state.c
xt_statistic.c net: replace macros net_random and net_srandom with direct calls to prandom 2014-01-14 15:15:25 -08:00
xt_string.c net: Remove state argument from skb_find_text() 2015-02-22 15:59:54 -05:00
xt_tcpmss.c
xt_TCPMSS.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
xt_TCPOPTSTRIP.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
xt_tcpudp.c
xt_TEE.c netfilter: xt_TEE: fix NULL dereference 2015-10-22 12:55:25 +02:00
xt_time.c netfilter: xt_time: add support to ignore day transition 2012-09-24 14:29:01 +02:00
xt_TPROXY.c inet: inet_twsk_deschedule factorization 2015-07-09 15:12:20 -07:00
xt_TRACE.c
xt_u32.c