Patchwork [2/3] netfilter: potential null derefence.

login
register
mail settings
Submitter santosh nayak
Date March 1, 2012, 9:17 a.m.
Message ID <1330593434-19275-1-git-send-email-santoshprasadnayak@gmail.com>
Download mbox | patch
Permalink /patch/143969/
State Not Applicable
Delegated to: David Miller
Headers show

Comments

santosh nayak - March 1, 2012, 9:17 a.m.
From: Santosh Nayak <santoshprasadnayak@gmail.com>

I am getting following error.
" net/bridge/netfilter/ebtables.c:269 ebt_do_table()
  error: potential null derefence 'cs'"

    i = cs[sp].n;  // If cs == Null then this will cause problem.

Signed-off-by: Santosh Nayak <santoshprasadnayak@gmail.com>
---
 net/bridge/netfilter/ebtables.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)
Pablo Neira - March 1, 2012, 10:21 a.m.
On Thu, Mar 01, 2012 at 02:47:14PM +0530, santosh nayak wrote:
> From: Santosh Nayak <santoshprasadnayak@gmail.com>
> 
> I am getting following error.
> " net/bridge/netfilter/ebtables.c:269 ebt_do_table()
>   error: potential null derefence 'cs'"
> 
>     i = cs[sp].n;  // If cs == Null then this will cause problem.
> 
> Signed-off-by: Santosh Nayak <santoshprasadnayak@gmail.com>
> ---
>  net/bridge/netfilter/ebtables.c |    5 ++++-
>  1 files changed, 4 insertions(+), 1 deletions(-)
> 
> diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
> index f3fcbd9..9c0f177 100644
> --- a/net/bridge/netfilter/ebtables.c
> +++ b/net/bridge/netfilter/ebtables.c
> @@ -209,8 +209,10 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
>  	   smp_processor_id());
>  	if (private->chainstack)
>  		cs = private->chainstack[smp_processor_id()];
> -	else
> +	else {
>  		cs = NULL;
> +		goto out;

There is no "out" label in ebt_do_table !!
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
santosh nayak - March 1, 2012, 10:23 a.m.
Hi Pablo,

Please look at the last line of my patch.
I have added a new label "out"

regards
santosh

On Thu, Mar 1, 2012 at 3:51 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Thu, Mar 01, 2012 at 02:47:14PM +0530, santosh nayak wrote:
>> From: Santosh Nayak <santoshprasadnayak@gmail.com>
>>
>> I am getting following error.
>> " net/bridge/netfilter/ebtables.c:269 ebt_do_table()
>>   error: potential null derefence 'cs'"
>>
>>     i = cs[sp].n;  // If cs == Null then this will cause problem.
>>
>> Signed-off-by: Santosh Nayak <santoshprasadnayak@gmail.com>
>> ---
>>  net/bridge/netfilter/ebtables.c |    5 ++++-
>>  1 files changed, 4 insertions(+), 1 deletions(-)
>>
>> diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
>> index f3fcbd9..9c0f177 100644
>> --- a/net/bridge/netfilter/ebtables.c
>> +++ b/net/bridge/netfilter/ebtables.c
>> @@ -209,8 +209,10 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
>>          smp_processor_id());
>>       if (private->chainstack)
>>               cs = private->chainstack[smp_processor_id()];
>> -     else
>> +     else {
>>               cs = NULL;
>> +             goto out;
>
> There is no "out" label in ebt_do_table !!
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Pablo Neira - March 1, 2012, 12:30 p.m.
On Thu, Mar 01, 2012 at 02:47:14PM +0530, santosh nayak wrote:
> From: Santosh Nayak <santoshprasadnayak@gmail.com>
> 
> I am getting following error.
> " net/bridge/netfilter/ebtables.c:269 ebt_do_table()
>   error: potential null derefence 'cs'"
> 
>     i = cs[sp].n;  // If cs == Null then this will cause problem.

Very sorry, I didn't see the out label.

I'll apply this to my nf [1] once David takes my previous request for
pulling.

[1] http://1984.lsi.us.es/git/net
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Pablo Neira - March 2, 2012, 1:22 a.m.
On Thu, Mar 01, 2012 at 02:47:14PM +0530, santosh nayak wrote:
> From: Santosh Nayak <santoshprasadnayak@gmail.com>
> 
> I am getting following error.
> " net/bridge/netfilter/ebtables.c:269 ebt_do_table()
>   error: potential null derefence 'cs'"
> 
>     i = cs[sp].n;  // If cs == Null then this will cause problem.
> 
> Signed-off-by: Santosh Nayak <santoshprasadnayak@gmail.com>
> ---
>  net/bridge/netfilter/ebtables.c |    5 ++++-
>  1 files changed, 4 insertions(+), 1 deletions(-)
> 
> diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
> index f3fcbd9..9c0f177 100644
> --- a/net/bridge/netfilter/ebtables.c
> +++ b/net/bridge/netfilter/ebtables.c
> @@ -209,8 +209,10 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
>  	   smp_processor_id());
>  	if (private->chainstack)
>  		cs = private->chainstack[smp_processor_id()];
> -	else
> +	else {
>  		cs = NULL;

I just noticed we can remove this cs = NULL. No need to resend, I'll
mangle it myself.

> +		goto out;
> +	}
>  	chaininfo = private->hook_entry[hook];
>  	nentries = private->hook_entry[hook]->nentries;
>  	point = (struct ebt_entry *)(private->hook_entry[hook]->data);
> @@ -313,6 +315,7 @@ letscontinue:
>  		read_unlock_bh(&table->lock);
>  		return NF_ACCEPT;
>  	}
> +out:
>  	read_unlock_bh(&table->lock);
>  	return NF_DROP;
>  }
> -- 
> 1.7.4.4
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Bart De Schuymer - March 2, 2012, 9:31 p.m.
Op 1/03/2012 13:30, Pablo Neira Ayuso schreef:
> On Thu, Mar 01, 2012 at 02:47:14PM +0530, santosh nayak wrote:
>> From: Santosh Nayak<santoshprasadnayak@gmail.com>
>>
>> I am getting following error.
>> " net/bridge/netfilter/ebtables.c:269 ebt_do_table()
>>    error: potential null derefence 'cs'"
>>
>>      i = cs[sp].n;  // If cs == Null then this will cause problem.
>
> Very sorry, I didn't see the out label.
>
> I'll apply this to my nf [1] once David takes my previous request for
> pulling.
>

Hi,

Has this patch been tested? Really, that code in the core firewall 
function is there for a reason, wouldn't you think?
The chainstack is only allocated when user-defined chains are used (see 
translate_table).
Never blindly trust a tool.

Bart
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Pablo Neira - March 3, 2012, 9:11 a.m.
On Fri, Mar 02, 2012 at 10:31:23PM +0100, Bart De Schuymer wrote:
> Op 1/03/2012 13:30, Pablo Neira Ayuso schreef:
> >On Thu, Mar 01, 2012 at 02:47:14PM +0530, santosh nayak wrote:
> >>From: Santosh Nayak<santoshprasadnayak@gmail.com>
> >>
> >>I am getting following error.
> >>" net/bridge/netfilter/ebtables.c:269 ebt_do_table()
> >>   error: potential null derefence 'cs'"
> >>
> >>     i = cs[sp].n;  // If cs == Null then this will cause problem.
> >
> >Very sorry, I didn't see the out label.
> >
> >I'll apply this to my nf [1] once David takes my previous request for
> >pulling.
> >
> 
> Hi,
> 
> Has this patch been tested? Really, that code in the core firewall
> function is there for a reason, wouldn't you think?
> The chainstack is only allocated when user-defined chains are used
> (see translate_table).
> Never blindly trust a tool.

I see, then that cs NULL dereference never happens.

Thanks Bart, I'll drop this patch.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index f3fcbd9..9c0f177 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -209,8 +209,10 @@  unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
 	   smp_processor_id());
 	if (private->chainstack)
 		cs = private->chainstack[smp_processor_id()];
-	else
+	else {
 		cs = NULL;
+		goto out;
+	}
 	chaininfo = private->hook_entry[hook];
 	nentries = private->hook_entry[hook]->nentries;
 	point = (struct ebt_entry *)(private->hook_entry[hook]->data);
@@ -313,6 +315,7 @@  letscontinue:
 		read_unlock_bh(&table->lock);
 		return NF_ACCEPT;
 	}
+out:
 	read_unlock_bh(&table->lock);
 	return NF_DROP;
 }