diff options
| author | Florian Westphal <fw@strlen.de> | 2018-11-12 22:43:45 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-11-13 09:57:33 +0100 |
| commit | 29e3880109e357fdc607b4393f8308cef6af9413 (patch) | |
| tree | c1bd28510eb2dbacce9076ca3f4b4eb6c173a515 /net/netfilter/nft_compat.c | |
| parent | 0fbcc5b568edab7d848b7c7fa66d44ffbd4133c0 (diff) | |
| download | linux-29e3880109e357fdc607b4393f8308cef6af9413.tar.gz | |
netfilter: nf_tables: fix use-after-free when deleting compat expressions
nft_compat ops do not have static storage duration, unlike all other
expressions.
When nf_tables_expr_destroy() returns, expr->ops might have been
free'd already, so we need to store next address before calling
expression destructor.
For same reason, we can't deref match pointer after nft_xt_put().
This can be easily reproduced by adding msleep() before
nft_match_destroy() returns.
Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter/nft_compat.c')
| -rw-r--r-- | net/netfilter/nft_compat.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c index 9d0ede4742240f..7334e0b80a5eff 100644 --- a/net/netfilter/nft_compat.c +++ b/net/netfilter/nft_compat.c @@ -520,6 +520,7 @@ __nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr, void *info) { struct xt_match *match = expr->ops->data; + struct module *me = match->me; struct xt_mtdtor_param par; par.net = ctx->net; @@ -530,7 +531,7 @@ __nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr, par.match->destroy(&par); if (nft_xt_put(container_of(expr->ops, struct nft_xt, ops))) - module_put(match->me); + module_put(me); } static void |