Re: [PATCH] netfilter: fix dangling pointer access of fake_rtable

From: Florian Westphal
Date: Mon Apr 22 2019 - 05:35:17 EST


Rundong Ge <rdong.ge@xxxxxxxxx> wrote:
> br_nf_pre_routing will call the NF_INET_PRE_ROUTING hooks, at this
> time both entry->state.in and entry->state.out are not bridge device.
>
> NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, state->net, state->sk, skb,
> skb->dev, NULL,
> br_nf_pre_routing_finish);

skb->dev is munged in setup_prerouting() to be bridge or vlan device on
top of bridge.

That being said, I think we need this fix at least:

diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -197,8 +197,15 @@ static int __nf_queue(struct sk_buff *skb, const struct nf_hook_state *state,
.size = sizeof(*entry) + route_key_size,
};

+ if (skb_dst(skb)) {
+ skb_dst_force(skb);
+ if (!skb_dst(skb)) {
+ status = -EHOSTUNREACH;
+ goto err;
+ }
+ }
+
nf_queue_entry_get_refs(entry);
- skb_dst_force(skb);

switch (entry->state.pf) {
case AF_INET:


Then, why not add, in dev_cmp:

dst = skb_dst(skb);
if (dst && dst->dev->index == index ...

?