On Fri, Jul 06, 2018 at 02:53:25PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > On Wed, Jul 04, 2018 at 09:13:06PM +0200, Florian Westphal wrote:
> > > iptables-nft never requests these, but explicitly reject this.
> > >
> > > If it were requested, kernel will oops as ->target is NULL.
> > >
> > > Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> > > ---
> > > net/netfilter/nft_compat.c | 12 ++++++++++++
> > > 1 file changed, 12 insertions(+)
> > >
> > > diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
> > > index 8d1ff654e5af..198cef9c2906 100644
> > > --- a/net/netfilter/nft_compat.c
> > > +++ b/net/netfilter/nft_compat.c
> > > @@ -832,10 +832,16 @@ nft_target_select_ops(const struct nft_ctx *ctx,
> > > rev = ntohl(nla_get_be32(tb[NFTA_TARGET_REV]));
> > > family = ctx->family;
> > >
> > > + if (strcmp(tg_name, "ERROR") == 0)
> > > + return ERR_PTR(-EINVAL);
> >
> > We can just reject XT_ERROR_TARGET and XT_STANDARD_TARGET here, to
> > keep it simple, right? So we don't use this hardcoded "ERROR".
>
> Yes, that works too.
> Rejecting XT_STANDARD_TARGET might be a good idea too in case someone
> ever changes it to have a non-null evaluation function.
Hm, I think we're already safe, right? I mean, the check for
target->target to be NULL and return -EINVAL is sufficient.
But I can just apply what I'm attaching for clarity if you prefer.
>From c5973195721b04050a85f67941e3ed0e53dccc8b Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@xxxxxxxxx>
Date: Wed, 4 Jul 2018 21:13:06 +0200
Subject: [PATCH] netfilter: nft_compat: explicitly reject builtin targets
iptables-nft never requests these, but explicitly reject this.
If it were requested, kernel will oops as ->target is NULL.
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
net/netfilter/nft_compat.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index 8d1ff654e5af..50224ea9c588 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -263,10 +263,6 @@ nft_target_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
if (ret < 0)
return ret;
- /* The standard target cannot be used */
- if (!target->target)
- return -EINVAL;
-
nft_xt = container_of(expr->ops, struct nft_xt, ops);
nft_xt->refcnt++;
return 0;
@@ -832,6 +828,10 @@ nft_target_select_ops(const struct nft_ctx *ctx,
rev = ntohl(nla_get_be32(tb[NFTA_TARGET_REV]));
family = ctx->family;
+ if (strcmp(tg_name, XT_ERROR_TARGET) == 0 ||
+ strcmp(tg_name, XT_STANDARD_TARGET) == 0)
+ return ERR_PTR(-EINVAL);
+
/* Re-use the existing target if it's already loaded. */
list_for_each_entry(nft_target, &nft_target_list, head) {
struct xt_target *target = nft_target->ops.data;
--
2.11.0
