Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c0506365a928adfd5608ed6873a705ae18e2daaf
Commit:     c0506365a928adfd5608ed6873a705ae18e2daaf
Parent:     a7c42955e036127f793ad955d3ec718494efb1eb
Author:     Patrick McHardy <[EMAIL PROTECTED]>
AuthorDate: Mon Dec 17 22:39:55 2007 -0800
Committer:  David S. Miller <[EMAIL PROTECTED]>
CommitDate: Mon Jan 28 14:59:00 2008 -0800

    [NETFILTER]: nfnetlink_log: fix checks in nfulnl_recv_config
    
    Similar to the nfnetlink_queue fixes:
    
    The peer_pid must be checked in all cases when a logging instance exists,
    additionally we must check whether an instance exists before attempting
    to configure it to avoid NULL ptr dereferences.
    
    Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
    Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
---
 net/netfilter/nfnetlink_log.c |   49 ++++++++++++++++++++++------------------
 1 files changed, 27 insertions(+), 22 deletions(-)

diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 02e6357..3dcc6f5 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -753,9 +753,15 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
        UDEBUG("entering for msg %u\n", NFNL_MSG_TYPE(nlh->nlmsg_type));
 
        inst = instance_lookup_get(group_num);
+       if (inst && inst->peer_pid != NETLINK_CB(skb).pid) {
+               ret = -EPERM;
+               goto out_put;
+       }
+
        if (nfula[NFULA_CFG_CMD]) {
                u_int8_t pf = nfmsg->nfgen_family;
                struct nfulnl_msg_config_cmd *cmd;
+
                cmd = nla_data(nfula[NFULA_CFG_CMD]);
                UDEBUG("found CFG_CMD for\n");
 
@@ -779,11 +785,6 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
                                goto out;
                        }
 
-                       if (inst->peer_pid != NETLINK_CB(skb).pid) {
-                               ret = -EPERM;
-                               goto out_put;
-                       }
-
                        instance_destroy(inst);
                        goto out;
                case NFULNL_CFG_CMD_PF_BIND:
@@ -800,29 +801,16 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
                        ret = -EINVAL;
                        break;
                }
-
-               if (!inst)
-                       goto out;
-       } else {
-               if (!inst) {
-                       UDEBUG("no config command, and no instance for "
-                               "group=%u pid=%u =>ENOENT\n",
-                               group_num, NETLINK_CB(skb).pid);
-                       ret = -ENOENT;
-                       goto out;
-               }
-
-               if (inst->peer_pid != NETLINK_CB(skb).pid) {
-                       UDEBUG("no config command, and wrong pid\n");
-                       ret = -EPERM;
-                       goto out_put;
-               }
        }
 
        if (nfula[NFULA_CFG_MODE]) {
                struct nfulnl_msg_config_mode *params;
                params = nla_data(nfula[NFULA_CFG_MODE]);
 
+               if (!inst) {
+                       ret = -ENODEV;
+                       goto out;
+               }
                nfulnl_set_mode(inst, params->copy_mode,
                                ntohl(params->copy_range));
        }
@@ -831,6 +819,10 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
                __be32 timeout =
                        *(__be32 *)nla_data(nfula[NFULA_CFG_TIMEOUT]);
 
+               if (!inst) {
+                       ret = -ENODEV;
+                       goto out;
+               }
                nfulnl_set_timeout(inst, ntohl(timeout));
        }
 
@@ -838,6 +830,10 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
                __be32 nlbufsiz =
                        *(__be32 *)nla_data(nfula[NFULA_CFG_NLBUFSIZ]);
 
+               if (!inst) {
+                       ret = -ENODEV;
+                       goto out;
+               }
                nfulnl_set_nlbufsiz(inst, ntohl(nlbufsiz));
        }
 
@@ -845,12 +841,21 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
                __be32 qthresh =
                        *(__be32 *)nla_data(nfula[NFULA_CFG_QTHRESH]);
 
+               if (!inst) {
+                       ret = -ENODEV;
+                       goto out;
+               }
                nfulnl_set_qthresh(inst, ntohl(qthresh));
        }
 
        if (nfula[NFULA_CFG_FLAGS]) {
                __be16 flags =
                        *(__be16 *)nla_data(nfula[NFULA_CFG_FLAGS]);
+
+               if (!inst) {
+                       ret = -ENODEV;
+                       goto out;
+               }
                nfulnl_set_flags(inst, ntohs(flags));
        }
 
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to