netfilter: nf_tables: fix nft_trans type confusion

gvrose8192 · gvrose8192 · commit 50e218d74e05 · 2024-11-01T17:13:28.000-07:00
jira VULN-597 subsystem-sync netfilter:nf_tables 4.18.0-534 commit-author Florian Westphal <fw@strlen.de> commit e3c361b upstream-diff - Some cruft in nft_rule_lookup_byid() - resolved by using branch 4.18.0-534 as the source of truth. nft_trans_FOO objects all share a common nft_trans base structure, but trailing fields depend on the real object size. Access is only safe after trans->msg_type check. Check for rule type first. Found by code inspection. Fixes: 1a94e38 ("netfilter: nf_tables: add NFTA_RULE_ID attribute") Signed-off-by: Florian Westphal <fw@strlen.de> (cherry picked from commit e3c361b) Signed-off-by: Greg Rose <g.v.rose@ciq.com>
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
@@ -3330,12 +3330,10 @@ static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
 	struct nft_trans *trans;
 
 	list_for_each_entry(trans, &net->nft.commit_list, list) {
-		struct nft_rule *rule = nft_trans_rule(trans);
-
 		if (trans->msg_type == NFT_MSG_NEWRULE &&
 		    trans->ctx.chain == chain &&
 		    id == nft_trans_rule_id(trans))
-			return rule;
+			return nft_trans_rule(trans);
 	}
 	return ERR_PTR(-ENOENT);
 }

Original file line number	Diff line number	Diff line change
`@@ -3330,12 +3330,10 @@ static struct nft_rule nft_rule_lookup_byid(const struct net net,`
`3330`	`3330`	`struct nft_trans *trans;`
`3331`	`3331`
`3332`	`3332`	`list_for_each_entry(trans, &net->nft.commit_list, list) {`
`3333`		`- struct nft_rule *rule = nft_trans_rule(trans);`
`3334`		`-`
`3335`	`3333`	`if (trans->msg_type == NFT_MSG_NEWRULE &&`
`3336`	`3334`	`trans->ctx.chain == chain &&`
`3337`	`3335`	`id == nft_trans_rule_id(trans))`
`3338`		`- return rule;`
	`3336`	`+ return nft_trans_rule(trans);`
`3339`	`3337`	`}`
`3340`	`3338`	`return ERR_PTR(-ENOENT);`
`3341`	`3339`	`}`