From patchwork Wed Feb 15 22:45:26 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vishwanath Pai X-Patchwork-Id: 728406 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3vNvl045c5z9rxm for ; Thu, 16 Feb 2017 09:55:24 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=akamai.com header.i=@akamai.com header.b="kduNIX/t"; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752943AbdBOWzW (ORCPT ); Wed, 15 Feb 2017 17:55:22 -0500 Received: from prod-mail-xrelay05.akamai.com ([23.79.238.179]:55580 "EHLO prod-mail-xrelay05.akamai.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752769AbdBOWzH (ORCPT ); Wed, 15 Feb 2017 17:55:07 -0500 X-Greylist: delayed 460 seconds by postgrey-1.27 at vger.kernel.org; Wed, 15 Feb 2017 17:55:07 EST Received: from prod-mail-xrelay05.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id DDC3443340E; Wed, 15 Feb 2017 22:47:26 +0000 (GMT) Received: from prod-mail-relay11.akamai.com (prod-mail-relay11.akamai.com [172.27.118.250]) by prod-mail-xrelay05.akamai.com (Postfix) with ESMTP id C7680433404; Wed, 15 Feb 2017 22:47:26 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1487198846; bh=risr/UC/4LEmr/D99lhjgJfu6Fr5Jq8FD9lWe7ECvPY=; l=1151; h=From:To:Cc:Date:From; b=kduNIX/tHpx+DygfTuTa+nPJb2upW92Mv3RPnB737eqSKR1uMvo6ua8VRV9qQuF0F LmCviJho7V337s4p4tg2w76MdAv828MWNMy0ZZHX5L79tgCHkfQwEnnnk3G8k+GpkL IiTt9/TpP+dgxcsxX5yL7Prgti/luXzOtsH8yMwc= Received: from bos-lpqrs.kendall.corp.akamai.com (bos-lpqrs.kendall.corp.akamai.com [172.28.13.81]) by prod-mail-relay11.akamai.com (Postfix) with ESMTP id C26851FC90; Wed, 15 Feb 2017 22:47:26 +0000 (GMT) Received: from vpai by bos-lpqrs.kendall.corp.akamai.com with local (Exim 4.82) (envelope-from ) id 1ce8MA-0005jl-NW; Wed, 15 Feb 2017 17:47:26 -0500 From: Vishwanath Pai To: Pablo Neira Ayuso , Patrick McHardy , Jozsef Kadlecsik Cc: Vishwanath Pai , johunt@akamai.com, pai.vishwain@gmail.com, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org Subject: [PATCH] netfilter: ipset: Null pointer exception in ipset list:set Date: Wed, 15 Feb 2017 17:45:26 -0500 Message-Id: <1487198726-21866-1-git-send-email-vpai@akamai.com> X-Mailer: git-send-email 1.9.1 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org If we use before/after to add an element to an empty list it will cause a kernel panic. $> cat crash.restore create a hash:ip create b hash:ip create test list:set timeout 5 size 4 add test b before a $> ipset -R < crash.restore Executing the above will crash the kernel. Signed-off-by: Vishwanath Pai Reviewed-by: Josh Hunt --- net/netfilter/ipset/ip_set_list_set.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/net/netfilter/ipset/ip_set_list_set.c b/net/netfilter/ipset/ip_set_list_set.c index 51077c5..178d4eb 100644 --- a/net/netfilter/ipset/ip_set_list_set.c +++ b/net/netfilter/ipset/ip_set_list_set.c @@ -260,11 +260,14 @@ struct list_set { else prev = e; } + + /* If before/after is used on an empty set */ + if ((d->before > 0 && !next) || + (d->before < 0 && !prev)) + return -IPSET_ERR_REF_EXIST; + /* Re-add already existing element */ if (n) { - if ((d->before > 0 && !next) || - (d->before < 0 && !prev)) - return -IPSET_ERR_REF_EXIST; if (!flag_exist) return -IPSET_ERR_EXIST; /* Update extensions */