Re: [PATCH][next] netfilter: nf_tables: Fix dereference of null pointer flow
From: Dan Carpenter
Date: Fri Jun 25 2021 - 05:59:36 EST
Btw, why is there no clean up if nft_table_validate() fails?
net/netfilter/nf_tables_api.c
3432 list_add_tail_rcu(&rule->list, &old_rule->list);
3433 else
3434 list_add_rcu(&rule->list, &chain->rules);
3435 }
3436 }
3437 kvfree(expr_info);
3438 chain->use++;
3439
3440 if (flow)
3441 nft_trans_flow_rule(trans) = flow;
3442
3443 if (nft_net->validate_state == NFT_VALIDATE_DO)
3444 return nft_table_validate(net, table);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The cleanup for this would be quite involved unfortunately... Not
necessarily something to attempt without being able to test the code.
3445
3446 return 0;
3447
3448 err_destroy_flow_rule:
3449 nft_flow_rule_destroy(flow);
3450 err_release_rule:
3451 nf_tables_rule_release(&ctx, rule);
3452 err_release_expr:
3453 for (i = 0; i < n; i++) {
3454 if (expr_info[i].ops) {
3455 module_put(expr_info[i].ops->type->owner);
3456 if (expr_info[i].ops->type->release_ops)
3457 expr_info[i].ops->type->release_ops(expr_info[i].ops);
3458 }
3459 }
3460 kvfree(expr_info);
3461
3462 return err;
3463 }
regards,
dan carpenter