summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVishwanath Pai <vpai@akamai.com>2017-02-16 20:55:45 +0100
committerJozsef Kadlecsik <kadlec@blackhole.kfki.hu>2017-02-16 20:55:45 +0100
commit4d0d11e63493ddc126324e59f2840105dbeba725 (patch)
tree10b65d06001f332722b90e7544d2e84e23611d91
parent414d819ebee11b52374f566434220887eb8246b7 (diff)
netfilter: ipset: Null pointer exception in ipset list:set
If we use before/after to add an element to an empty list it will cause a kernel panic. $> cat crash.restore create a hash:ip create b hash:ip create test list:set timeout 5 size 4 add test b before a $> ipset -R < crash.restore Executing the above will crash the kernel. Signed-off-by: Vishwanath Pai <vpai@akamai.com> Reviewed-by: Josh Hunt <johunt@akamai.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
-rw-r--r--kernel/net/netfilter/ipset/ip_set_list_set.c9
1 files changed, 6 insertions, 3 deletions
diff --git a/kernel/net/netfilter/ipset/ip_set_list_set.c b/kernel/net/netfilter/ipset/ip_set_list_set.c
index 51077c5..178d4eb 100644
--- a/kernel/net/netfilter/ipset/ip_set_list_set.c
+++ b/kernel/net/netfilter/ipset/ip_set_list_set.c
@@ -260,11 +260,14 @@ list_set_uadd(struct ip_set *set, void *value, const struct ip_set_ext *ext,
else
prev = e;
}
+
+ /* If before/after is used on an empty set */
+ if ((d->before > 0 && !next) ||
+ (d->before < 0 && !prev))
+ return -IPSET_ERR_REF_EXIST;
+
/* Re-add already existing element */
if (n) {
- if ((d->before > 0 && !next) ||
- (d->before < 0 && !prev))
- return -IPSET_ERR_REF_EXIST;
if (!flag_exist)
return -IPSET_ERR_EXIST;
/* Update extensions */