Unverified Commit 5a1a48ed authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!1435 fix CVE-2023-3117 

Merge Pull Request from: @LiuYongQiang0816 
 
3 patches from Lu Wei 
 
Link:https://gitee.com/openeuler/kernel/pulls/1435

 

Reviewed-by: default avatarYue Haibing <yuehaibing@huawei.com>
Signed-off-by: default avatarZhang Changzhong <zhangchangzhong@huawei.com>
parents 8121bcb0 2414a3ff

include/net/netfilter/nf_tables.h

+1 −0
Original line number Diff line number Diff line
@@ -733,6 +733,7 @@ struct nft_expr_type { 


enum nft_trans_phase {

	NFT_TRANS_PREPARE,

	NFT_TRANS_PREPARE_ERROR,

	NFT_TRANS_ABORT,

	NFT_TRANS_COMMIT,

	NFT_TRANS_RELEASE

net/netfilter/nf_tables_api.c

+25 −4
Original line number Diff line number Diff line
@@ -115,7 +115,8 @@ static void nft_trans_destroy(struct nft_trans *trans) 
	kfree(trans);

}



static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)

static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set,

				 bool bind)

{

	struct net *net = ctx->net;

	struct nft_trans *trans;
@@ -127,16 +128,26 @@ static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) 
		switch (trans->msg_type) {

		case NFT_MSG_NEWSET:

			if (nft_trans_set(trans) == set)

				nft_trans_set_bound(trans) = true;

				nft_trans_set_bound(trans) = bind;

			break;

		case NFT_MSG_NEWSETELEM:

			if (nft_trans_elem_set(trans) == set)

				nft_trans_elem_set_bound(trans) = true;

				nft_trans_elem_set_bound(trans) = bind;

			break;

		}

	}

}



static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)

{

	return __nft_set_trans_bind(ctx, set, true);

}



static void nft_set_trans_unbind(const struct nft_ctx *ctx, struct nft_set *set)

{

	return __nft_set_trans_bind(ctx, set, false);

}



static int nf_tables_register_hook(struct net *net,

				   const struct nft_table *table,

				   struct nft_chain *chain)
@@ -2755,7 +2766,8 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk, 


	return 0;

err2:

	nf_tables_rule_release(&ctx, rule);

	nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE_ERROR);

	nf_tables_rule_destroy(&ctx, rule);

err1:

	for (i = 0; i < n; i++) {

		if (info[i].ops) {
@@ -3774,6 +3786,15 @@ void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, 
			      enum nft_trans_phase phase)

{

	switch (phase) {

	case NFT_TRANS_PREPARE_ERROR:

		nft_set_trans_unbind(ctx, set);

		if (nft_set_is_anonymous(set))

			nft_deactivate_next(ctx->net, set);

		else

			list_del_rcu(&binding->list);



		set->use--;

		break;

	case NFT_TRANS_PREPARE:

		if (nft_set_is_anonymous(set))

			nft_deactivate_next(ctx->net, set);