* [PATCH nf-next v2] netfilter: nf_tables: fix possible null-pointer dereference in object update
@ 2019-09-04 12:29 Fernando Fernandez Mancera
2019-09-05 11:22 ` Pablo Neira Ayuso
2019-11-01 14:42 ` Eric Garver
0 siblings, 2 replies; 6+ messages in thread
From: Fernando Fernandez Mancera @ 2019-09-04 12:29 UTC (permalink / raw)
To: netfilter-devel; +Cc: Fernando Fernandez Mancera
Not all objects need an update operation. If the object type doesn't implement
an update operation and the user tries to update it there will be a EOPNOTSUPP
error instead of a null pointer.
Fixes: d62d0ba97b58 ("netfilter: nf_tables: Introduce stateful object update operation")
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
---
net/netfilter/nf_tables_api.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index cf767bc58e18..013d28899cab 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5140,6 +5140,9 @@ static int nf_tables_updobj(const struct nft_ctx *ctx,
struct nft_trans *trans;
int err;
+ if (!obj->ops->update)
+ return -EOPNOTSUPP;
+
trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
sizeof(struct nft_trans_obj));
if (!trans)
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH nf-next v2] netfilter: nf_tables: fix possible null-pointer dereference in object update
2019-09-04 12:29 [PATCH nf-next v2] netfilter: nf_tables: fix possible null-pointer dereference in object update Fernando Fernandez Mancera
@ 2019-09-05 11:22 ` Pablo Neira Ayuso
2019-11-01 14:42 ` Eric Garver
1 sibling, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2019-09-05 11:22 UTC (permalink / raw)
To: Fernando Fernandez Mancera; +Cc: netfilter-devel
On Wed, Sep 04, 2019 at 02:29:07PM +0200, Fernando Fernandez Mancera wrote:
> Not all objects need an update operation. If the object type doesn't implement
> an update operation and the user tries to update it there will be a EOPNOTSUPP
> error instead of a null pointer.
Applied, thanks.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH nf-next v2] netfilter: nf_tables: fix possible null-pointer dereference in object update
2019-09-04 12:29 [PATCH nf-next v2] netfilter: nf_tables: fix possible null-pointer dereference in object update Fernando Fernandez Mancera
2019-09-05 11:22 ` Pablo Neira Ayuso
@ 2019-11-01 14:42 ` Eric Garver
2019-11-01 15:01 ` Fernando Fernández Mancera
1 sibling, 1 reply; 6+ messages in thread
From: Eric Garver @ 2019-11-01 14:42 UTC (permalink / raw)
To: Fernando Fernandez Mancera; +Cc: netfilter-devel
Hi Fernando,
On Wed, Sep 04, 2019 at 02:29:07PM +0200, Fernando Fernandez Mancera wrote:
> Not all objects need an update operation. If the object type doesn't implement
> an update operation and the user tries to update it there will be a EOPNOTSUPP
> error instead of a null pointer.
>
> Fixes: d62d0ba97b58 ("netfilter: nf_tables: Introduce stateful object update operation")
> Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
> ---
> net/netfilter/nf_tables_api.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index cf767bc58e18..013d28899cab 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
> @@ -5140,6 +5140,9 @@ static int nf_tables_updobj(const struct nft_ctx *ctx,
> struct nft_trans *trans;
> int err;
>
> + if (!obj->ops->update)
> + return -EOPNOTSUPP;
> +
> trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
> sizeof(struct nft_trans_obj));
> if (!trans)
> --
> 2.20.1
I think this introduced a regression when adding an object that already
exists:
# nft add table inet foobar
# nft add counter inet foobar my_counter
# nft add counter inet foobar my_counter
Error: Could not process rule: Operation not supported
add counter inet foobar my_counter
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
It applies to all objects that don't provide an update handler; counter,
ct helper, ct timeout, ct exception, etc.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH nf-next v2] netfilter: nf_tables: fix possible null-pointer dereference in object update
2019-11-01 14:42 ` Eric Garver
@ 2019-11-01 15:01 ` Fernando Fernández Mancera
2019-11-01 15:11 ` Eric Garver
0 siblings, 1 reply; 6+ messages in thread
From: Fernando Fernández Mancera @ 2019-11-01 15:01 UTC (permalink / raw)
To: Eric Garver; +Cc: netfilter-devel
El 1 de noviembre de 2019 15:42:46 CET, Eric Garver <eric@garver.life> escribió:
>Hi Fernando,
>
>On Wed, Sep 04, 2019 at 02:29:07PM +0200, Fernando Fernandez Mancera
>wrote:
>> Not all objects need an update operation. If the object type doesn't
>implement
>> an update operation and the user tries to update it there will be a
>EOPNOTSUPP
>> error instead of a null pointer.
>>
>> Fixes: d62d0ba97b58 ("netfilter: nf_tables: Introduce stateful object
>update operation")
>> Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
>> ---
>> net/netfilter/nf_tables_api.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/net/netfilter/nf_tables_api.c
>b/net/netfilter/nf_tables_api.c
>> index cf767bc58e18..013d28899cab 100644
>> --- a/net/netfilter/nf_tables_api.c
>> +++ b/net/netfilter/nf_tables_api.c
>> @@ -5140,6 +5140,9 @@ static int nf_tables_updobj(const struct
>nft_ctx *ctx,
>> struct nft_trans *trans;
>> int err;
>>
>> + if (!obj->ops->update)
>> + return -EOPNOTSUPP;
>> +
>> trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
>> sizeof(struct nft_trans_obj));
>> if (!trans)
>> --
>> 2.20.1
>
>I think this introduced a regression when adding an object that already
>exists:
>
> # nft add table inet foobar
> # nft add counter inet foobar my_counter
> # nft add counter inet foobar my_counter
> Error: Could not process rule: Operation not supported
> add counter inet foobar my_counter
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>It applies to all objects that don't provide an update handler;
>counter,
>ct helper, ct timeout, ct exception, etc.
Hi Eric,
It seems that you are right. What would be the behaviour here? Resets the object properties?
Thanks Eric!
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH nf-next v2] netfilter: nf_tables: fix possible null-pointer dereference in object update
2019-11-01 15:01 ` Fernando Fernández Mancera
@ 2019-11-01 15:11 ` Eric Garver
2019-11-01 15:13 ` Fernando Fernández Mancera
0 siblings, 1 reply; 6+ messages in thread
From: Eric Garver @ 2019-11-01 15:11 UTC (permalink / raw)
To: Fernando Fernández Mancera; +Cc: netfilter-devel
On Fri, Nov 01, 2019 at 04:01:51PM +0100, Fernando Fernández Mancera wrote:
> El 1 de noviembre de 2019 15:42:46 CET, Eric Garver <eric@garver.life> escribió:
> >Hi Fernando,
> >
> >On Wed, Sep 04, 2019 at 02:29:07PM +0200, Fernando Fernandez Mancera
> >wrote:
> >> Not all objects need an update operation. If the object type doesn't
> >implement
> >> an update operation and the user tries to update it there will be a
> >EOPNOTSUPP
> >> error instead of a null pointer.
> >>
> >> Fixes: d62d0ba97b58 ("netfilter: nf_tables: Introduce stateful object
> >update operation")
> >> Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
> >> ---
> >> net/netfilter/nf_tables_api.c | 3 +++
> >> 1 file changed, 3 insertions(+)
> >>
> >> diff --git a/net/netfilter/nf_tables_api.c
> >b/net/netfilter/nf_tables_api.c
> >> index cf767bc58e18..013d28899cab 100644
> >> --- a/net/netfilter/nf_tables_api.c
> >> +++ b/net/netfilter/nf_tables_api.c
> >> @@ -5140,6 +5140,9 @@ static int nf_tables_updobj(const struct
> >nft_ctx *ctx,
> >> struct nft_trans *trans;
> >> int err;
> >>
> >> + if (!obj->ops->update)
> >> + return -EOPNOTSUPP;
> >> +
> >> trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
> >> sizeof(struct nft_trans_obj));
> >> if (!trans)
> >> --
> >> 2.20.1
> >
> >I think this introduced a regression when adding an object that already
> >exists:
> >
> > # nft add table inet foobar
> > # nft add counter inet foobar my_counter
> > # nft add counter inet foobar my_counter
> > Error: Could not process rule: Operation not supported
> > add counter inet foobar my_counter
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >
> >It applies to all objects that don't provide an update handler;
> >counter,
> >ct helper, ct timeout, ct exception, etc.
>
> Hi Eric,
>
> It seems that you are right. What would be the behaviour here? Resets the object properties?
I don't know what the correct behavior is in the kernel - maybe it
silently skips it. i.e. no attempt to update, but returns no error.
From a user perspective it should happily accept the re-add.
# nft add table inet foobar
# nft add counter inet foobar my_counter
# nft add counter inet foobar my_counter
** no error **
Unless the "create" verb is used, then we should get an error:
# nft create counter inet foobar my_counter
Error: Could not process rule: File exists
create counter inet foobar my_counter
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH nf-next v2] netfilter: nf_tables: fix possible null-pointer dereference in object update
2019-11-01 15:11 ` Eric Garver
@ 2019-11-01 15:13 ` Fernando Fernández Mancera
0 siblings, 0 replies; 6+ messages in thread
From: Fernando Fernández Mancera @ 2019-11-01 15:13 UTC (permalink / raw)
To: Eric Garver; +Cc: netfilter-devel
El 1 de noviembre de 2019 16:11:59 CET, Eric Garver <eric@garver.life> escribió:
>On Fri, Nov 01, 2019 at 04:01:51PM +0100, Fernando Fernández Mancera
>wrote:
>> El 1 de noviembre de 2019 15:42:46 CET, Eric Garver
><eric@garver.life> escribió:
>> >Hi Fernando,
>> >
>> >On Wed, Sep 04, 2019 at 02:29:07PM +0200, Fernando Fernandez Mancera
>> >wrote:
>> >> Not all objects need an update operation. If the object type
>doesn't
>> >implement
>> >> an update operation and the user tries to update it there will be
>a
>> >EOPNOTSUPP
>> >> error instead of a null pointer.
>> >>
>> >> Fixes: d62d0ba97b58 ("netfilter: nf_tables: Introduce stateful
>object
>> >update operation")
>> >> Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
>> >> ---
>> >> net/netfilter/nf_tables_api.c | 3 +++
>> >> 1 file changed, 3 insertions(+)
>> >>
>> >> diff --git a/net/netfilter/nf_tables_api.c
>> >b/net/netfilter/nf_tables_api.c
>> >> index cf767bc58e18..013d28899cab 100644
>> >> --- a/net/netfilter/nf_tables_api.c
>> >> +++ b/net/netfilter/nf_tables_api.c
>> >> @@ -5140,6 +5140,9 @@ static int nf_tables_updobj(const struct
>> >nft_ctx *ctx,
>> >> struct nft_trans *trans;
>> >> int err;
>> >>
>> >> + if (!obj->ops->update)
>> >> + return -EOPNOTSUPP;
>> >> +
>> >> trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
>> >> sizeof(struct nft_trans_obj));
>> >> if (!trans)
>> >> --
>> >> 2.20.1
>> >
>> >I think this introduced a regression when adding an object that
>already
>> >exists:
>> >
>> > # nft add table inet foobar
>> > # nft add counter inet foobar my_counter
>> > # nft add counter inet foobar my_counter
>> > Error: Could not process rule: Operation not supported
>> > add counter inet foobar my_counter
>> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> >
>> >It applies to all objects that don't provide an update handler;
>> >counter,
>> >ct helper, ct timeout, ct exception, etc.
>>
>> Hi Eric,
>>
>> It seems that you are right. What would be the behaviour here? Resets
>the object properties?
>
>I don't know what the correct behavior is in the kernel - maybe it
>silently skips it. i.e. no attempt to update, but returns no error.
>
>From a user perspective it should happily accept the re-add.
>
> # nft add table inet foobar
> # nft add counter inet foobar my_counter
> # nft add counter inet foobar my_counter
> ** no error **
>
>Unless the "create" verb is used, then we should get an error:
>
> # nft create counter inet foobar my_counter
> Error: Could not process rule: File exists
> create counter inet foobar my_counter
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Sure, I am going to prepare a patch for this. Sorry about the regression. Thanks!
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-11-01 15:14 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-04 12:29 [PATCH nf-next v2] netfilter: nf_tables: fix possible null-pointer dereference in object update Fernando Fernandez Mancera
2019-09-05 11:22 ` Pablo Neira Ayuso
2019-11-01 14:42 ` Eric Garver
2019-11-01 15:01 ` Fernando Fernández Mancera
2019-11-01 15:11 ` Eric Garver
2019-11-01 15:13 ` Fernando Fernández Mancera
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).