| Message ID | 1460417474-8899-1-git-send-email-phil@nwl.cc |
|---|---|
| State | Accepted |
| Delegated to: | Pablo Neira |
| Headers | show |
Phil Sutter <phil@nwl.cc> wrote: > If a requested extension exists as module and is not loaded, > ebt_check_match() might accidentally use an NFPROTO_UNSPEC one with same > name and fail. > > Reproduced with limit match: Given xt_limit and ebt_limit both built as > module, the following would fail: > > modprobe xt_limit > ebtables -I INPUT --limit 1/s -j ACCEPT > > The fix is to make ebt_check_match() distrust a found NFPROTO_UNSPEC > extension and retry after requesting an appropriate module. > > Cc: Florian Westphal <fw@strlen.de> Acked-by: Florian Westphal <fw@strlen.de> Thanks for handling this. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, Apr 12, 2016 at 01:31:14AM +0200, Phil Sutter wrote: > If a requested extension exists as module and is not loaded, > ebt_check_match() might accidentally use an NFPROTO_UNSPEC one with same > name and fail. > > Reproduced with limit match: Given xt_limit and ebt_limit both built as > module, the following would fail: > > modprobe xt_limit > ebtables -I INPUT --limit 1/s -j ACCEPT > > The fix is to make ebt_check_match() distrust a found NFPROTO_UNSPEC > extension and retry after requesting an appropriate module. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 8570bc7744c25..5a61f35412a05 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -370,7 +370,11 @@ ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par, left - sizeof(struct ebt_entry_match) < m->match_size) return -EINVAL; - match = xt_request_find_match(NFPROTO_BRIDGE, m->u.name, 0); + match = xt_find_match(NFPROTO_BRIDGE, m->u.name, 0); + if (IS_ERR(match) || match->family != NFPROTO_BRIDGE) { + request_module("ebt_%s", m->u.name); + match = xt_find_match(NFPROTO_BRIDGE, m->u.name, 0); + } if (IS_ERR(match)) return PTR_ERR(match); m->u.match = match;
If a requested extension exists as module and is not loaded, ebt_check_match() might accidentally use an NFPROTO_UNSPEC one with same name and fail. Reproduced with limit match: Given xt_limit and ebt_limit both built as module, the following would fail: modprobe xt_limit ebtables -I INPUT --limit 1/s -j ACCEPT The fix is to make ebt_check_match() distrust a found NFPROTO_UNSPEC extension and retry after requesting an appropriate module. Cc: Florian Westphal <fw@strlen.de> Signed-off-by: Phil Sutter <phil@nwl.cc> --- net/bridge/netfilter/ebtables.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)