git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Xin Long <lucien.xin@gmail.com>
	Fri, 18 Aug 2017 03:01:36 +0000 (11:01 +0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 30 Aug 2017 08:16:54 +0000 (10:16 +0200)
commit	28ae858736a42b37ff4352e3cb46e4a9e9299d2f
tree	1ceb4ae932b4cc10eb4862d1d808a64b08ce37f7	tree \| snapshot
parent	69e12f86c34a54bffba6480c22326e97c661ff2e	commit \| diff

net: sched: fix NULL pointer dereference when action calls some targets

[ Upstream commit 4f8a881acc9d1adaf1e552349a0b1df28933a04c ]

As we know in some target's checkentry it may dereference par.entryinfo
to check entry stuff inside. But when sched action calls xt_check_target,
par.entryinfo is set with NULL. It would cause kernel panic when calling
some targets.

It can be reproduce with:
  # tc qd add dev eth1 ingress handle ffff:
  # tc filter add dev eth1 parent ffff: u32 match u32 0 0 action xt \
    -j ECN --ecn-tcp-remove

It could also crash kernel when using target CLUSTERIP or TPROXY.

By now there's no proper value for par.entryinfo in ipt_init_target,
but it can not be set with NULL. This patch is to void all these
panics by setting it with an ipt_entry obj with all members = 0.

Note that this issue has been there since the very beginning.

Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>