Commit ea9cab1
netfilter: nf_tables: reject QUEUE/DROP verdict parameters
jira LE-837
cve CVE-2024-1086
commit f342de4
upstream-diff fallthrough is a keyword in the upstream where as we have
a comment to indicate that there is fall through on the default switch.
This reverts commit e0abdad.
core.c:nf_hook_slow assumes that the upper 16 bits of NF_DROP
verdicts contain a valid errno, i.e. -EPERM, -EHOSTUNREACH or similar,
or 0.
Due to the reverted commit, its possible to provide a positive
value, e.g. NF_ACCEPT (1), which results in use-after-free.
Its not clear to me why this commit was made.
NF_QUEUE is not used by nftables; "queue" rules in nftables
will result in use of "nft_queue" expression.
If we later need to allow specifiying errno values from userspace
(do not know why), this has to call NF_DROP_GETERR and check that
"err <= 0" holds true.
Fixes: e0abdad ("netfilter: nf_tables: accept QUEUE/DROP verdict parameters")
Cc: [email protected]
Reported-by: Notselwyn <[email protected]>
Signed-off-by: Florian Westphal <[email protected]>
Signed-off-by: Pablo Neira Ayuso <[email protected]>
(cherry picked from commit f342de4)
Signed-off-by: David Gomez <[email protected]>
(cherry picked from commit bc8e5de54ecb076c2cf381c4e55751f3f66d6835)
Signed-off-by: Jonathan Maple <[email protected]>1 parent 09e50aa commit ea9cab1
1 file changed
+6
-10
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
8582 | 8582 | | |
8583 | 8583 | | |
8584 | 8584 | | |
8585 | | - | |
8586 | | - | |
8587 | | - | |
8588 | | - | |
8589 | | - | |
8590 | | - | |
8591 | | - | |
8592 | | - | |
8593 | | - | |
8594 | | - | |
| 8585 | + | |
| 8586 | + | |
| 8587 | + | |
| 8588 | + | |
8595 | 8589 | | |
8596 | 8590 | | |
8597 | 8591 | | |
| |||
8610 | 8604 | | |
8611 | 8605 | | |
8612 | 8606 | | |
| 8607 | + | |
| 8608 | + | |
8613 | 8609 | | |
8614 | 8610 | | |
8615 | 8611 | | |
| |||
0 commit comments