netfilter: nft_reject: restrict to INPUT/FORWARD/OUTPUT
authorLiping Zhang <liping.zhang@spreadtrum.com>
Sun, 21 Aug 2016 17:02:18 +0000 (01:02 +0800)
committerPablo Neira Ayuso <pablo@netfilter.org>
Thu, 25 Aug 2016 10:55:34 +0000 (12:55 +0200)
commit89e1f6d2b956649fbe0704d543a90b8e0cf872b0
tree5b44bf9b14d011a0072c609bec983b64ac52041d
parent51af96b53469f3b8cfcfe0504d0ff87239175b78
netfilter: nft_reject: restrict to INPUT/FORWARD/OUTPUT

After I add the nft rule "nft add rule filter prerouting reject
with tcp reset", kernel panic happened on my system:
  NULL pointer dereference at ...
  IP: [<ffffffff81b9db2f>] nf_send_reset+0xaf/0x400
  Call Trace:
  [<ffffffff81b9da80>] ? nf_reject_ip_tcphdr_get+0x160/0x160
  [<ffffffffa0928061>] nft_reject_ipv4_eval+0x61/0xb0 [nft_reject_ipv4]
  [<ffffffffa08e836a>] nft_do_chain+0x1fa/0x890 [nf_tables]
  [<ffffffffa08e8170>] ? __nft_trace_packet+0x170/0x170 [nf_tables]
  [<ffffffffa06e0900>] ? nf_ct_invert_tuple+0xb0/0xc0 [nf_conntrack]
  [<ffffffffa07224d4>] ? nf_nat_setup_info+0x5d4/0x650 [nf_nat]
  [...]

Because in the PREROUTING chain, routing information is not exist,
then we will dereference the NULL pointer and oops happen.

So we restrict reject expression to INPUT, FORWARD and OUTPUT chain.
This is consistent with iptables REJECT target.

Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
include/net/netfilter/nft_reject.h
net/ipv4/netfilter/nft_reject_ipv4.c
net/ipv6/netfilter/nft_reject_ipv6.c
net/netfilter/nft_reject.c
net/netfilter/nft_reject_inet.c