| Message ID | 1544014590-14429-4-git-send-email-laoar.shao@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [1/5] netfilter: fix general protection fault when unregister sysctl table | expand |
On Wed, Dec 05, 2018 at 08:56:29PM +0800, Yafang Shao wrote: > nf_ct_l4proto_net() may return NULL. > That may happens if some module forget to set both l4proto->get_net_proto > and l4proto->net_id. > We'd check the return value here, in case crash happens. > > Signed-off-by: Yafang Shao <laoar.shao@gmail.com> > --- > net/netfilter/nf_conntrack_proto.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c > index 154e8c0..316fef3 100644 > --- a/net/netfilter/nf_conntrack_proto.c > +++ b/net/netfilter/nf_conntrack_proto.c > @@ -946,6 +946,9 @@ int nf_conntrack_proto_pernet_init(struct net *net) > struct nf_proto_net *pn = nf_ct_l4proto_net(net, > &nf_conntrack_l4proto_generic); There is another spot missing in this file that is missing the check for NULL. We can probably simplify all this is we place the gre conntracker in the conntrack core, as it's been suggested already. It's the only one remaining as a module and it now supports for IPv6, so it's probably better follow that path.
On Thu, Dec 13, 2018 at 7:26 AM Pablo Neira Ayuso <pablo@netfilter.org> wrote: > > On Wed, Dec 05, 2018 at 08:56:29PM +0800, Yafang Shao wrote: > > nf_ct_l4proto_net() may return NULL. > > That may happens if some module forget to set both l4proto->get_net_proto > > and l4proto->net_id. > > We'd check the return value here, in case crash happens. > > > > Signed-off-by: Yafang Shao <laoar.shao@gmail.com> > > --- > > net/netfilter/nf_conntrack_proto.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c > > index 154e8c0..316fef3 100644 > > --- a/net/netfilter/nf_conntrack_proto.c > > +++ b/net/netfilter/nf_conntrack_proto.c > > @@ -946,6 +946,9 @@ int nf_conntrack_proto_pernet_init(struct net *net) > > struct nf_proto_net *pn = nf_ct_l4proto_net(net, > > &nf_conntrack_l4proto_generic); > > There is another spot missing in this file that is missing the check > for NULL. > > We can probably simplify all this is we place the gre conntracker in > the conntrack core, as it's been suggested already. It's the only one > remaining as a module and it now supports for IPv6, so it's probably > better follow that path. Got it. Thanks for your explanation. Thanks Yafang
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c index 154e8c0..316fef3 100644 --- a/net/netfilter/nf_conntrack_proto.c +++ b/net/netfilter/nf_conntrack_proto.c @@ -946,6 +946,9 @@ int nf_conntrack_proto_pernet_init(struct net *net) struct nf_proto_net *pn = nf_ct_l4proto_net(net, &nf_conntrack_l4proto_generic); + if (pn == NULL) + return -EINVAL; + err = nf_conntrack_l4proto_generic.init_net(net); if (err < 0) return err;
nf_ct_l4proto_net() may return NULL. That may happens if some module forget to set both l4proto->get_net_proto and l4proto->net_id. We'd check the return value here, in case crash happens. Signed-off-by: Yafang Shao <laoar.shao@gmail.com> --- net/netfilter/nf_conntrack_proto.c | 3 +++ 1 file changed, 3 insertions(+)