diff options
author | Vishwanath Pai <vpai@akamai.com> | 2017-02-16 20:55:45 +0100 |
---|---|---|
committer | Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 2017-02-19 19:08:47 +0100 |
commit | 40b446a1d8af17274746ff7079aa0a618dffbac3 (patch) | |
tree | c54107c91855cfec21bd9e7ea9af3a6730ed527e /net | |
parent | 50054a9223aaf79985c55ef7dd090ced15581567 (diff) | |
download | lwn-40b446a1d8af17274746ff7079aa0a618dffbac3.tar.gz lwn-40b446a1d8af17274746ff7079aa0a618dffbac3.zip |
netfilter: ipset: Null pointer exception in ipset list:set
If we use before/after to add an element to an empty list it will cause
a kernel panic.
$> cat crash.restore
create a hash:ip
create b hash:ip
create test list:set timeout 5 size 4
add test b before a
$> ipset -R < crash.restore
Executing the above will crash the kernel.
Signed-off-by: Vishwanath Pai <vpai@akamai.com>
Reviewed-by: Josh Hunt <johunt@akamai.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Diffstat (limited to 'net')
-rw-r--r-- | net/netfilter/ipset/ip_set_list_set.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/net/netfilter/ipset/ip_set_list_set.c b/net/netfilter/ipset/ip_set_list_set.c index 51077c53d76b..178d4eba013b 100644 --- a/net/netfilter/ipset/ip_set_list_set.c +++ b/net/netfilter/ipset/ip_set_list_set.c @@ -260,11 +260,14 @@ list_set_uadd(struct ip_set *set, void *value, const struct ip_set_ext *ext, else prev = e; } + + /* If before/after is used on an empty set */ + if ((d->before > 0 && !next) || + (d->before < 0 && !prev)) + return -IPSET_ERR_REF_EXIST; + /* Re-add already existing element */ if (n) { - if ((d->before > 0 && !next) || - (d->before < 0 && !prev)) - return -IPSET_ERR_REF_EXIST; if (!flag_exist) return -IPSET_ERR_EXIST; /* Update extensions */ |