summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPhil Sutter <phil@nwl.cc>2018-08-17 15:35:47 +0200
committerFlorian Westphal <fw@strlen.de>2018-08-17 16:15:23 +0200
commit92f7b04fbd1803783b3efe1f1de8e81b2bac15ac (patch)
treea6bf5852c800e3e9d52f993269ad66fbcb120184
parent294f9ef5ee354ff902dfdc091a604f93083c248d (diff)
xtables: Fix for segfault in iptables-nft
Trying to set a chain's policy in an invalid table resulted in a segfault. Reproducer was: | # iptables -t broute -P BROUTING ACCEPT Fix this by aborting in nft_chain_new() if nft_table_builtin_find() returned NULL for the given table name. For an illustrative error message, set errno to ENXIO in the above case and add an appropriate Mesage to nft_strerror(). While being at it, improve the error message if an invalid policy was given. Before: | # iptables-nft -t filter -P INPUT ACCEPTdf | iptables: Incompatible with this kernel. After: | # iptables-nft -t filter -P INPUT ACCEPTdf | iptables: Bad policy name. Run `dmesg' for more information. Third unrelated change in this patch: Drop error checking of nft_chain_set() in do_commandx(): The function never returns negative, so that check never yielded true. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
-rw-r--r--iptables/nft.c11
-rw-r--r--iptables/xtables.c3
2 files changed, 9 insertions, 5 deletions
diff --git a/iptables/nft.c b/iptables/nft.c
index 0b29caeb..dd8469a9 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -833,9 +833,13 @@ static struct nftnl_chain *nft_chain_new(struct nft_handle *h,
struct builtin_chain *_c;
_t = nft_table_builtin_find(h, table);
+ if (!_t) {
+ errno = ENXIO;
+ return NULL;
+ }
+
/* if this built-in table does not exists, create it */
- if (_t != NULL)
- nft_table_builtin_add(h, _t);
+ nft_table_builtin_add(h, _t);
_c = nft_chain_builtin_find(_t, chain);
if (_c != NULL) {
@@ -871,6 +875,8 @@ int nft_chain_set(struct nft_handle *h, const char *table,
c = nft_chain_new(h, table, chain, NF_DROP, counters);
else if (strcmp(policy, "ACCEPT") == 0)
c = nft_chain_new(h, table, chain, NF_ACCEPT, counters);
+ else
+ errno = EINVAL;
if (c == NULL)
return 0;
@@ -2828,6 +2834,7 @@ const char *nft_strerror(int err)
"Bad rule (does a matching rule exist in that chain?)" },
{ nft_chain_set, ENOENT, "Bad built-in chain name" },
{ nft_chain_set, EINVAL, "Bad policy name" },
+ { nft_chain_set, ENXIO, "Bad table name" },
{ NULL, ELOOP, "Loop found in table" },
{ NULL, EPERM, "Permission denied (you must be root)" },
{ NULL, 0, "Incompatible with this kernel" },
diff --git a/iptables/xtables.c b/iptables/xtables.c
index d9050b45..72f65962 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -1266,9 +1266,6 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
break;
case CMD_SET_POLICY:
ret = nft_chain_set(h, p.table, p.chain, p.policy, NULL);
- if (ret < 0)
- xtables_error(PARAMETER_PROBLEM, "Wrong policy `%s'\n",
- p.policy);
break;
default:
/* We should never reach this... */