netfilter: nf_tables: Fix a use after free in nft_immediate_destroy()

The nf_tables_rule_release() function frees "rule" so we have to use
the _safe() version of list_for_each_entry().

Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c
index 9e55663..c63eb3b 100644 (file)
--- a/net/netfilter/nft_immediate.c
+++ b/net/netfilter/nft_immediate.c
@@ -103,9 +103,9 @@ static void nft_immediate_destroy(const struct nft_ctx *ctx,
 {
        const struct nft_immediate_expr *priv = nft_expr_priv(expr);
        const struct nft_data *data = &priv->data;
+       struct nft_rule *rule, *n;
        struct nft_ctx chain_ctx;
        struct nft_chain *chain;
-       struct nft_rule *rule;
 
        if (priv->dreg != NFT_REG_VERDICT)
                return;
@@ -121,7 +121,7 @@ static void nft_immediate_destroy(const struct nft_ctx *ctx,
                chain_ctx = *ctx;
                chain_ctx.chain = chain;
 
-               list_for_each_entry(rule, &chain->rules, list)
+               list_for_each_entry_safe(rule, n, &chain->rules, list)
                        nf_tables_rule_release(&chain_ctx, rule);
 
                nf_tables_chain_destroy(&chain_ctx);