| Message ID | 20131025165531.GA18336@home |
|---|---|
| State | Accepted |
| Headers | show |
On Fri, Oct 25, 2013 at 09:55:31AM -0700, Phil Oester wrote: > As reported by John Sager, nft_set_attr_get_u32 can cause a segfault because > nft_set_attr_get can return NULL. Check for a non-NULL pointer before > dereferencing. > > This closes netfilter bugzilla #868. I have mangled this patch to include possible null dereferences in get operations with rule objects (similar case). Let me know if you see any issue with my change. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sun, Oct 27, 2013 at 09:34:26PM +0100, Pablo Neira Ayuso wrote: > I have mangled this patch to include possible null dereferences in get > operations with rule objects (similar case). Let me know if you see > any issue with my change. Looks good, thanks. Phil -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/src/set.c b/src/set.c index 74ec1e3..85f73cf 100644 --- a/src/set.c +++ b/src/set.c @@ -183,8 +183,8 @@ EXPORT_SYMBOL(nft_set_attr_get_str); uint32_t nft_set_attr_get_u32(struct nft_set *s, uint16_t attr) { - uint32_t val = *((uint32_t *)nft_set_attr_get(s, attr)); - return val; + const void *val = nft_set_attr_get(s, attr); + return val ? *(uint32_t *)val : 0; } EXPORT_SYMBOL(nft_set_attr_get_u32);
As reported by John Sager, nft_set_attr_get_u32 can cause a segfault because nft_set_attr_get can return NULL. Check for a non-NULL pointer before dereferencing. This closes netfilter bugzilla #868. Signed-off-by: Phil Oester <kernel@linuxace.com>