Its possible to create tables in a family that isn't supported/known.
Then, when adding a base chain, the table pointer can be NULL.
This gets us a NULL ptr dereference in nf_tables_addchain().
Fixes: baae3e62f31618 ("netfilter: nf_tables: fix chain type module reference handling")
Reported-by: syzbot+156a04714799b1d480bc@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
net/netfilter/nf_tables_api.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 65f51a2e9c2a..e8976128cdb1 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -953,6 +953,9 @@ static int nf_tables_newtable(struct net *net, struct sock *nlsk,
struct nft_ctx ctx;
int err;
+ if (family >= NFPROTO_NUMPROTO)
+ return -EAFNOSUPPORT;
+
lockdep_assert_held(&net->nft.commit_mutex);
attr = nla[NFTA_TABLE_NAME];
table = nft_table_lookup(net, attr, family, genmask);
@@ -1765,6 +1768,9 @@ static int nft_chain_parse_hook(struct net *net,
ha[NFTA_HOOK_PRIORITY] == NULL)
return -EINVAL;
+ if (family >= NFPROTO_NUMPROTO)
+ return -EAFNOSUPPORT;
+
hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
@@ -1774,6 +1780,8 @@ static int nft_chain_parse_hook(struct net *net,
family, autoload);
if (IS_ERR(type))
return PTR_ERR(type);
+ } else if (!type) {
+ return -EOPNOTSUPP;
}
if (hook->num > NF_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
return -EOPNOTSUPP;
--
2.24.1
