netfilter: xtables: avoid BUG_ON

I see no reason for them, label or timer cannot be NULL, and if they
were, we'll crash with null deref anyway.

For skb_header_pointer failure, just set hotdrop to true and toss
such packet.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index 8b14744..af737b4 100644 (file)
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -65,7 +65,10 @@ ipv6header_mt6(const struct sk_buff *skb, struct xt_action_param *par)
                }
 
                hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr);
-               BUG_ON(hp == NULL);
+               if (!hp) {
+                       par->hotdrop = true;
+                       return false;
+               }
 
                /* Calculate the header length */
                if (nexthdr == NEXTHDR_FRAGMENT)

diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index 2c99b94..21bf6bf 100644 (file)
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -137,7 +137,10 @@ static bool rt_mt6(const struct sk_buff *skb, struct xt_action_param *par)
                                                        sizeof(_addr),
                                                        &_addr);
 
-                               BUG_ON(ap == NULL);
+                               if (ap == NULL) {
+                                       par->hotdrop = true;
+                                       return false;
+                               }
 
                                if (ipv6_addr_equal(ap, &rtinfo->addrs[i])) {
                                        pr_debug("i=%d temp=%d;\n", i, temp);
@@ -166,7 +169,10 @@ static bool rt_mt6(const struct sk_buff *skb, struct xt_action_param *par)
                                                        + temp * sizeof(_addr),
                                                        sizeof(_addr),
                                                        &_addr);
-                               BUG_ON(ap == NULL);
+                               if (ap == NULL) {
+                                       par->hotdrop = true;
+                                       return false;
+                               }
 
                                if (!ipv6_addr_equal(ap, &rtinfo->addrs[temp]))
                                        break;

diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c
index 5ee8591..c6acfc2 100644 (file)
--- a/net/netfilter/xt_IDLETIMER.c
+++ b/net/netfilter/xt_IDLETIMER.c
@@ -68,8 +68,6 @@ struct idletimer_tg *__idletimer_tg_find_by_label(const char *label)
 {
        struct idletimer_tg *entry;
 
-       BUG_ON(!label);
-
        list_for_each_entry(entry, &idletimer_tg_list, entry) {
                if (!strcmp(label, entry->attr.attr.name))
                        return entry;
@@ -172,8 +170,6 @@ static unsigned int idletimer_tg_target(struct sk_buff *skb,
        pr_debug("resetting timer %s, timeout period %u\n",
                 info->label, info->timeout);
 
-       BUG_ON(!info->timer);
-
        mod_timer(&info->timer->timer,
                  msecs_to_jiffies(info->timeout * 1000) + jiffies);
 

diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index 4ad5fe2..f16202d 100644 (file)
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -35,8 +35,6 @@ secmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
        u32 secmark = 0;
        const struct xt_secmark_target_info *info = par->targinfo;
 
-       BUG_ON(info->mode != mode);
-
        switch (mode) {
        case SECMARK_MODE_SEL:
                secmark = info->secid;