netfilter: nf_tables: missing sanitization in data from userspace

Do not assume userspace always sends us NFT_DATA_VALUE for bitwise and cmp expressions. Although NFT_DATA_VERDICT does not make any sense, it is still possible to handcraft a netlink message using this incorrect data type. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2017-05-15 11:17:29 +0100
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2017-05-15 12:51:40 +0200
commit: 71df14b0ce094be46d105b5a3ededd83b8e779a0 (patch)
tree: b0d32758237566a91e43001780641c7a6971d2dc /net/netfilter/nft_cmp.c
parent: netfilter: nf_tables: can't assume lock is acquired when dumping set elems (diff)
download: linux-dev-71df14b0ce094be46d105b5a3ededd83b8e779a0.tar.xz
linux-dev-71df14b0ce094be46d105b5a3ededd83b8e779a0.zip
1 files changed, 10 insertions, 2 deletions
diff --git a/net/netfilter/nft_cmp.c b/net/netfilter/nft_cmp.c
index 2b96effeadc1..8c9d0fb19118 100644
--- a/net/netfilter/nft_cmp.c
+++ b/net/netfilter/nft_cmp.c
@@ -201,10 +201,18 @@ nft_cmp_select_ops(const struct nft_ctx *ctx, const struct nlattr * const tb[])
 	if (err < 0)
 		return ERR_PTR(err);
 
+	if (desc.type != NFT_DATA_VALUE) {
+		err = -EINVAL;
+		goto err1;
+	}
+
 	if (desc.len <= sizeof(u32) && op == NFT_CMP_EQ)
 		return &nft_cmp_fast_ops;
-	else
-		return &nft_cmp_ops;
+
+	return &nft_cmp_ops;
+err1:
+	nft_data_uninit(&data, desc.type);
+	return ERR_PTR(-EINVAL);
 }
 
 struct nft_expr_type nft_cmp_type __read_mostly = {
author	Pablo Neira Ayuso <pablo@netfilter.org>	2017-05-15 11:17:29 +0100
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2017-05-15 12:51:40 +0200
commit	71df14b0ce094be46d105b5a3ededd83b8e779a0 (patch)
tree	b0d32758237566a91e43001780641c7a6971d2dc /net/netfilter/nft_cmp.c
parent	netfilter: nf_tables: can't assume lock is acquired when dumping set elems (diff)
download	linux-dev-71df14b0ce094be46d105b5a3ededd83b8e779a0.tar.xz linux-dev-71df14b0ce094be46d105b5a3ededd83b8e779a0.zip