Skip to content

Commit ea9cab1

Browse files
dvdgomezPlaidCat
dvdgomez
authored and
PlaidCat
committed
netfilter: nf_tables: reject QUEUE/DROP verdict parameters
jira LE-837 cve CVE-2024-1086 commit f342de4 upstream-diff fallthrough is a keyword in the upstream where as we have a comment to indicate that there is fall through on the default switch. This reverts commit e0abdad. core.c:nf_hook_slow assumes that the upper 16 bits of NF_DROP verdicts contain a valid errno, i.e. -EPERM, -EHOSTUNREACH or similar, or 0. Due to the reverted commit, its possible to provide a positive value, e.g. NF_ACCEPT (1), which results in use-after-free. Its not clear to me why this commit was made. NF_QUEUE is not used by nftables; "queue" rules in nftables will result in use of "nft_queue" expression. If we later need to allow specifiying errno values from userspace (do not know why), this has to call NF_DROP_GETERR and check that "err <= 0" holds true. Fixes: e0abdad ("netfilter: nf_tables: accept QUEUE/DROP verdict parameters") Cc: [email protected] Reported-by: Notselwyn <[email protected]> Signed-off-by: Florian Westphal <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit f342de4) Signed-off-by: David Gomez <[email protected]> (cherry picked from commit bc8e5de54ecb076c2cf381c4e55751f3f66d6835) Signed-off-by: Jonathan Maple <[email protected]>
1 parent 09e50aa commit ea9cab1

File tree

1 file changed

+6
-10
lines changed

1 file changed

+6
-10
lines changed

net/netfilter/nf_tables_api.c

Lines changed: 6 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -8582,16 +8582,10 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
85828582
data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
85838583

85848584
switch (data->verdict.code) {
8585-
default:
8586-
switch (data->verdict.code & NF_VERDICT_MASK) {
8587-
case NF_ACCEPT:
8588-
case NF_DROP:
8589-
case NF_QUEUE:
8590-
break;
8591-
default:
8592-
return -EINVAL;
8593-
}
8594-
/* fall through */
8585+
case NF_ACCEPT:
8586+
case NF_DROP:
8587+
case NF_QUEUE:
8588+
break;
85958589
case NFT_CONTINUE:
85968590
case NFT_BREAK:
85978591
case NFT_RETURN:
@@ -8610,6 +8604,8 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
86108604
chain->use++;
86118605
data->verdict.chain = chain;
86128606
break;
8607+
default:
8608+
return -EINVAL;
86138609
}
86148610

86158611
desc->len = sizeof(data->verdict);

0 commit comments

Comments
 (0)