projects
/
platform
/
kernel
/
linux-starfive.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
4ff91fa
)
netfilter: nf_tables: Fix a use after free in nft_immediate_destroy()
author
Dan Carpenter
<dan.carpenter@oracle.com>
Tue, 14 Jul 2020 10:56:22 +0000
(13:56 +0300)
committer
Pablo Neira Ayuso
<pablo@netfilter.org>
Wed, 15 Jul 2020 18:15:19 +0000
(20:15 +0200)
The nf_tables_rule_release() function frees "rule" so we have to use
the _safe() version of list_for_each_entry().
Fixes:
d0e2c7de92c7
("netfilter: nf_tables: add NFT_CHAIN_BINDING")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/netfilter/nft_immediate.c
patch
|
blob
|
history
diff --git
a/net/netfilter/nft_immediate.c
b/net/netfilter/nft_immediate.c
index
9e55663
..
c63eb3b
100644
(file)
--- a/
net/netfilter/nft_immediate.c
+++ b/
net/netfilter/nft_immediate.c
@@
-103,9
+103,9
@@
static void nft_immediate_destroy(const struct nft_ctx *ctx,
{
const struct nft_immediate_expr *priv = nft_expr_priv(expr);
const struct nft_data *data = &priv->data;
+ struct nft_rule *rule, *n;
struct nft_ctx chain_ctx;
struct nft_chain *chain;
- struct nft_rule *rule;
if (priv->dreg != NFT_REG_VERDICT)
return;
@@
-121,7
+121,7
@@
static void nft_immediate_destroy(const struct nft_ctx *ctx,
chain_ctx = *ctx;
chain_ctx.chain = chain;
- list_for_each_entry
(rule
, &chain->rules, list)
+ list_for_each_entry
_safe(rule, n
, &chain->rules, list)
nf_tables_rule_release(&chain_ctx, rule);
nf_tables_chain_destroy(&chain_ctx);