Re: [PATCH] netfilter: xt_realm: fix null-ptr-deref in realm_mt()

Next message: Bui Duc Phuc: "Re: [PATCH v2 2/6] ASoC: renesas: fsi: Fix hang by enabling SPU clock"
Previous message: Andy Shevchenko: "Re: [PATCH v4 1/2] iio: frequency: ad9832: remove kernel.h proxy header."
In reply to: Kito Xu (veritas501): "[PATCH] netfilter: xt_realm: fix null-ptr-deref in realm_mt()"
Next in thread: Pablo Neira Ayuso: "Re: [PATCH] netfilter: xt_realm: fix null-ptr-deref in realm_mt()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Florian Westphal

Date: Wed Apr 15 2026 - 05:02:59 EST

Kito Xu (veritas501) <hxzene@xxxxxxxxx> wrote:
> realm_mt() unconditionally dereferences skb_dst(skb) without a NULL
> check. The xt_realm match registers with .family = NFPROTO_UNSPEC,
> making it available to all netfilter protocol families. Through the
> nftables compat layer (nft_compat), an unprivileged user inside a
> user/net namespace can load this match into a bridge-family chain.

I do not think this bug is related to nft_compat.
You can also use ebtables setsockopt api to request xt_realm, no?

> Fixes: ab4f21e6fb1c ("netfilter: xtables: use NFPROTO_UNSPEC in more extensions")

Looks correct. Alternatively we could revert the xt_realm.c change.
But I don't have a strong opinion here, patch looks correct.