mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-06 00:39:48 +00:00
netfilter: nft_rbtree: ignore inactive matching element with no descendants
If we find a matching element that is inactive with no descendants, we jump to the found label, then crash because of nul-dereference on the left branch. Fix this by checking that the element is active and not an interval end and skipping the logic that only applies to the tree iteration. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Tested-by: Anders K. Pedersen <akp@akp.dk>
This commit is contained in:
parent
2c86943c20
commit
c1eda3c639
1 changed files with 6 additions and 4 deletions
|
@ -70,7 +70,6 @@ static bool nft_rbtree_lookup(const struct net *net, const struct nft_set *set,
|
|||
} else if (d > 0)
|
||||
parent = parent->rb_right;
|
||||
else {
|
||||
found:
|
||||
if (!nft_set_elem_active(&rbe->ext, genmask)) {
|
||||
parent = parent->rb_left;
|
||||
continue;
|
||||
|
@ -84,9 +83,12 @@ static bool nft_rbtree_lookup(const struct net *net, const struct nft_set *set,
|
|||
}
|
||||
}
|
||||
|
||||
if (set->flags & NFT_SET_INTERVAL && interval != NULL) {
|
||||
rbe = interval;
|
||||
goto found;
|
||||
if (set->flags & NFT_SET_INTERVAL && interval != NULL &&
|
||||
nft_set_elem_active(&interval->ext, genmask) &&
|
||||
!nft_rbtree_interval_end(interval)) {
|
||||
spin_unlock_bh(&nft_rbtree_lock);
|
||||
*ext = &interval->ext;
|
||||
return true;
|
||||
}
|
||||
out:
|
||||
spin_unlock_bh(&nft_rbtree_lock);
|
||||
|
|
Loading…
Reference in a new issue