netfilter: nft_fib_netdev: Terminate rule eval if protocol=IPv6 and ipv6 module is disabled - wireguard-linux

diff options

author	Leonardo Bras <leonardo@linux.ibm.com>	2019-08-30 15:13:53 -0300
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2019-09-03 22:53:56 +0200
commit	88209141392a4a2521a2f67c13d7db5e84efbb58 (patch)
tree	05f1ede317f6cadcbed2d1f6cdad0a8111384ba1 /net/core/skbuff.c
parent	netfilter: nft_socket: fix erroneous socket assignment (diff)
download	wireguard-linux-88209141392a4a2521a2f67c13d7db5e84efbb58.tar.xz wireguard-linux-88209141392a4a2521a2f67c13d7db5e84efbb58.zip

netfilter: nft_fib_netdev: Terminate rule eval if protocol=IPv6 and ipv6 module is disabled

If IPv6 is disabled on boot (ipv6.disable=1), but nft_fib_inet ends up dealing with a IPv6 packet, it causes a kernel panic in fib6_node_lookup_1(), crashing in bad_page_fault. The panic is caused by trying to deference a very low address (0x38 in ppc64le), due to ipv6.fib6_main_tbl = NULL. BUG: Kernel NULL pointer dereference at 0x00000038 The kernel panic was reproduced in a host that disabled IPv6 on boot and have to process guest packets (coming from a bridge) using it's ip6tables. Terminate rule evaluation when packet protocol is IPv6 but the ipv6 module is not loaded. Signed-off-by: Leonardo Bras <leonardo@linux.ibm.com> Acked-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Diffstat (limited to 'net/core/skbuff.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: