archive mirror
 help / color / mirror / Atom feed
From: Walter Harms <>
To: Colin King <>,
	Pablo Neira Ayuso <>,
	Jozsef Kadlecsik <>,
	"Florian Westphal" <>,
	"David S . Miller" <>,
	"Jakub Kicinski" <>,
	"" <>,
	"" <>
Cc: ""
	"" <>
Subject: AW: [PATCH][next] netfilter: nf_tables: Fix dereference of null pointer flow
Date: Fri, 25 Jun 2021 10:06:26 +0000	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

hi Colin,
most free_something_functions accept NULL
these days, perhaps it would be more efficient
to add a check in nft_flow_rule_destroy().
There is a chance that this will catch the same
mistake in future  also.

Von: Colin King <>
Gesendet: Donnerstag, 24. Juni 2021 21:57:18
An: Pablo Neira Ayuso; Jozsef Kadlecsik; Florian Westphal; David S . Miller; Jakub Kicinski;;;
Betreff: [PATCH][next] netfilter: nf_tables: Fix dereference of null pointer flow

WARNUNG: Diese E-Mail kam von außerhalb der Organisation. Klicken Sie nicht auf Links oder öffnen Sie keine Anhänge, es sei denn, Sie kennen den/die Absender*in und wissen, dass der Inhalt sicher ist.

From: Colin Ian King <>

In the case where chain->flags & NFT_CHAIN_HW_OFFLOAD is false then
nft_flow_rule_create is not called and flow is NULL. The subsequent
error handling execution via label err_destroy_flow_rule will lead
to a null pointer dereference on flow when calling nft_flow_rule_destroy.
Since the error path to err_destroy_flow_rule has to cater for null
and non-null flows, only call nft_flow_rule_destroy if flow is non-null
to fix this issue.

Addresses-Coverity: ("Explicity null dereference")
Fixes: 3c5e44622011 ("netfilter: nf_tables: memleak in hw offload abort path")
Signed-off-by: Colin Ian King <>
 net/netfilter/nf_tables_api.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 390d4466567f..de182d1f7c4e 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3446,7 +3446,8 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
        return 0;

-       nft_flow_rule_destroy(flow);
+       if (flow)
+               nft_flow_rule_destroy(flow);
        nf_tables_rule_release(&ctx, rule);

  parent reply	other threads:[~2021-06-25 10:14 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-24 19:57 Colin King
2021-06-25  9:59 ` Dan Carpenter
2021-06-25 10:20   ` Pablo Neira Ayuso
2021-06-25 10:33     ` Dan Carpenter
2021-06-25 10:06 ` Walter Harms [this message]
2021-06-25 10:21   ` Pablo Neira Ayuso
2021-07-02  0:56 ` Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \ \ \ \ \ \ \
    --subject='Re: AW: [PATCH][next] netfilter: nf_tables: Fix dereference of null pointer flow' \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).