diff options
| author | Florian Westphal <fw@strlen.de> | 2018-11-12 22:43:45 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-11-13 09:57:33 +0100 |
| commit | 29e3880109e357fdc607b4393f8308cef6af9413 (patch) | |
| tree | c1bd28510eb2dbacce9076ca3f4b4eb6c173a515 /net/netfilter/xt_mark.c | |
| parent | 0fbcc5b568edab7d848b7c7fa66d44ffbd4133c0 (diff) | |
| download | linux-29e3880109e357fdc607b4393f8308cef6af9413.tar.bz2 | |
netfilter: nf_tables: fix use-after-free when deleting compat expressions
nft_compat ops do not have static storage duration, unlike all other
expressions.
When nf_tables_expr_destroy() returns, expr->ops might have been
free'd already, so we need to store next address before calling
expression destructor.
For same reason, we can't deref match pointer after nft_xt_put().
This can be easily reproduced by adding msleep() before
nft_match_destroy() returns.
Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter/xt_mark.c')
0 files changed, 0 insertions, 0 deletions