Skip to content

Commit 8cbc870

Browse files
ummakynesummakynes
committed
netfilter: nfnetlink_log: validate dependencies to avoid breaking atomicity
Check that dependencies are fulfilled before updating the logger instance, otherwise we can leave things in intermediate state on errors in nfulnl_recv_config(). [ Ken-ichirou reports that this is also fixing missing instance refcnt drop on error introduced in his patch 914eebf ("netfilter: nfnetlink_log: autoload nf_conntrack_netlink module NFQA_CFG_F_CONNTRACK config flag"). ] Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Tested-by: Ken-ichirou MATSUZAWA <chamaken@gmail.com>
1 parent 336a3b3 commit 8cbc870

File tree

1 file changed

+24
-19
lines changed

1 file changed

+24
-19
lines changed

net/netfilter/nfnetlink_log.c

Lines changed: 24 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -825,6 +825,7 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
825825
struct net *net = sock_net(ctnl);
826826
struct nfnl_log_net *log = nfnl_log_pernet(net);
827827
int ret = 0;
828+
u16 flags;
828829

829830
if (nfula[NFULA_CFG_CMD]) {
830831
u_int8_t pf = nfmsg->nfgen_family;
@@ -846,6 +847,28 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
846847
goto out_put;
847848
}
848849

850+
/* Check if we support these flags in first place, dependencies should
851+
* be there too not to break atomicity.
852+
*/
853+
if (nfula[NFULA_CFG_FLAGS]) {
854+
flags = ntohs(nla_get_be16(nfula[NFULA_CFG_FLAGS]));
855+
856+
if ((flags & NFULNL_CFG_F_CONNTRACK) &&
857+
!rcu_access_pointer(nfnl_ct_hook)) {
858+
#ifdef CONFIG_MODULES
859+
nfnl_unlock(NFNL_SUBSYS_ULOG);
860+
request_module("ip_conntrack_netlink");
861+
nfnl_lock(NFNL_SUBSYS_ULOG);
862+
if (rcu_access_pointer(nfnl_ct_hook)) {
863+
ret = -EAGAIN;
864+
goto out_put;
865+
}
866+
#endif
867+
ret = -EOPNOTSUPP;
868+
goto out_put;
869+
}
870+
}
871+
849872
if (cmd != NULL) {
850873
switch (cmd->command) {
851874
case NFULNL_CFG_CMD_BIND:
@@ -905,26 +928,8 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
905928
nfulnl_set_qthresh(inst, ntohl(qthresh));
906929
}
907930

908-
if (nfula[NFULA_CFG_FLAGS]) {
909-
u16 flags = ntohs(nla_get_be16(nfula[NFULA_CFG_FLAGS]));
910-
911-
if (flags & NFULNL_CFG_F_CONNTRACK &&
912-
!rcu_access_pointer(nfnl_ct_hook)) {
913-
#ifdef CONFIG_MODULES
914-
nfnl_unlock(NFNL_SUBSYS_ULOG);
915-
request_module("ip_conntrack_netlink");
916-
nfnl_lock(NFNL_SUBSYS_ULOG);
917-
if (rcu_access_pointer(nfnl_ct_hook)) {
918-
ret = -EAGAIN;
919-
goto out;
920-
}
921-
#endif
922-
ret = -EOPNOTSUPP;
923-
goto out;
924-
}
925-
931+
if (nfula[NFULA_CFG_FLAGS])
926932
nfulnl_set_flags(inst, flags);
927-
}
928933

929934
out_put:
930935
instance_put(inst);

0 commit comments

Comments
 (0)