Received: by 2002:ac0:950c:0:0:0:0:0 with SMTP id f12csp1529635imc; Mon, 11 Mar 2019 16:22:42 -0700 (PDT) X-Google-Smtp-Source: APXvYqxr9AngkUJNDXdKI5jR5DsWESO6n0n9QoYBg/6iXo6bv77lDAX1UZJ0Er+AswGEYe5n+IcW X-Received: by 2002:a63:bd51:: with SMTP id d17mr2908325pgp.117.1552346562341; Mon, 11 Mar 2019 16:22:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1552346562; cv=none; d=google.com; s=arc-20160816; b=C6fIVnZRNtiSEgfcf4n5dblwTM4k5zYikBrjEb4Noa7p7Mcka5JCnv5VwNUhGGzjJc N7UCYsxlsA1DA/B/iZvREn3xlebOiaHNyzGOneG7th77egX+oQh52I6pqkPf2vG4HdRO hESElncvHXpi2qWeWY34Cbvq2fCQ9UITPhWzJJctHuL9SZUOlC/U8zqHFz7RPwedu0R7 SKrwMcv0LzExVbuR3oMNKAbyAy11rJDgmdAC4lKd2AjVOmTiQ7Kp+8Hb0TQvVVuwgsKc yiF1yg5P+Myd/OUHrS39DisKSoCgMTqHKnhwZdIvgTnUoj+nTPjkgF4uOb2KJ7CWAfrk Mctg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=q3CdnuMQy0ShWWsmGLLstnXz29N0wkvNqXI8ARE0Z/Y=; b=Z2vf2JCS1RSEiBx7zZf4UxRnqk51R3EiVfuC0i1Ers6umk+WHwtmXh6gNaw/F4oHoW UCepllwSNSp7oJmbRpDB/0OpVMfUg52MBspS2qWNpg7uFNZ+7LSwwRq8ryOm5H6PrCjL mCDXc8MebmLEGPC5WfyxbJ83XcFg3f6y6RlzzmX6Ctg5WDXNGqwNuajl2ULubCpsiwgj 0oOLGonJIa7E9t9UFtjr+3Rqd5aMPV/vuOQcnnJP58Pw9sYYilvOARaB/tvmo7gPC+Xf +VrYnIsnN48eEH0ZJSuREuYA8X9KM4v7ye1goV9A+WkmRrToUL7Il9qyNulhWNBqfUdo 5N8A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=hS7wkKnD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d12si6798245pla.80.2019.03.11.16.22.25; Mon, 11 Mar 2019 16:22:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=hS7wkKnD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726768AbfCKXUK (ORCPT + 99 others); Mon, 11 Mar 2019 19:20:10 -0400 Received: from mta-p7.oit.umn.edu ([134.84.196.207]:48058 "EHLO mta-p7.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726670AbfCKXUJ (ORCPT ); Mon, 11 Mar 2019 19:20:09 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p7.oit.umn.edu (Postfix) with ESMTP id C1186938 for ; Mon, 11 Mar 2019 23:20:07 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p7.oit.umn.edu ([127.0.0.1]) by localhost (mta-p7.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lRnLSKJqxj_u for ; Mon, 11 Mar 2019 18:20:07 -0500 (CDT) Received: from mail-it1-f199.google.com (mail-it1-f199.google.com [209.85.166.199]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p7.oit.umn.edu (Postfix) with ESMTPS id 896446E8 for ; Mon, 11 Mar 2019 18:20:07 -0500 (CDT) Received: by mail-it1-f199.google.com with SMTP id 190so599841itv.3 for ; Mon, 11 Mar 2019 16:20:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=q3CdnuMQy0ShWWsmGLLstnXz29N0wkvNqXI8ARE0Z/Y=; b=hS7wkKnD2MVBlF/utd7/cPL5quV4KbNUt0laVpApIyn6IodQ7WzkIq9FC9cO+bGaic JoovTGFo++RPoGMxuA23fOu6EW1BBDaxD04WJLMQNRaNg5bC8RnIzgcoDsjYSNNYXv60 gNfDBhtNQJs/Wp7UClj91eYN6OzJ2tPQYZz3lKuQDJQZMUwnnGUJCTwPD+SuFwNf7bhH 78bSU2IUIjHnFgae10FlrM3Mx482PgcgteAibDfJvioWPlR2VOTrxOcMAuQyZ54pmLXd 4wbefSnmSM4TSjfF877RnxdTrO4BunMUD74UDCOAwtU5gKiwt3sny5nLVJWUF71A+9L+ oYvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=q3CdnuMQy0ShWWsmGLLstnXz29N0wkvNqXI8ARE0Z/Y=; b=e7jD820SPTz9UQe38MZkHozCPUfAyTCuH44iTBhdx9ZWLrqlOsZb/bLOOqdB3rrP5n B7XhUm1veE0GnDYNTOmtn6zFh1undcFwxAelJTYwZIFtoGduC5Rn342DIlM4wGvbXhox PtkCogSWkXJhFzI0NmTarjorwIgIK6XHiKjpXYlUrYi+BNsRrYp3N7v+OTfC5N5Ku4cf DTJ8hx3N4njqYXGfhwi+++ailkIXfFJevYIO05O49w+FL9MXsa/2/IAOmPF4gLR1Anb4 ByezYkWTDL+QhUwTJVP+hHaR02QUBUO3HZsr2CjLBCPUVNBYI9PHxT+oBUdxpM4/4UND BAiw== X-Gm-Message-State: APjAAAWAK225utliDU65b99olCbWFlJnybWyGynhpWJy82qWvUnudaX5 KbL0//oAoO88QXNpQQZ9hrVfqathIK0LzGq8893Egu5NNuOOBabf6je9lAA6rebFkJ82YLujl+V kZmFBydGmdfdUfl9KGG0bhd3ZyO9a X-Received: by 2002:a6b:7718:: with SMTP id n24mr18015369iom.299.1552346406933; Mon, 11 Mar 2019 16:20:06 -0700 (PDT) X-Received: by 2002:a6b:7718:: with SMTP id n24mr18015357iom.299.1552346406709; Mon, 11 Mar 2019 16:20:06 -0700 (PDT) Received: from cs-u-syssec1.dtc.umn.edu (cs-u-syssec1.cs.umn.edu. [128.101.106.66]) by smtp.gmail.com with ESMTPSA id f17sm382100itb.36.2019.03.11.16.20.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Mar 2019 16:20:06 -0700 (PDT) From: Aditya Pakki To: pakki001@umn.edu Cc: kjlu@umn.edu, Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , "David S. Miller" , Alexey Kuznetsov , Hideaki YOSHIFUJI , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] netfilter: ip6t_srh: Fix potential NULL pointer dereference Date: Mon, 11 Mar 2019 18:19:20 -0500 Message-Id: <20190311231920.26514-1-pakki001@umn.edu> X-Mailer: git-send-email 2.17.1 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org skb_header_pointer in srh_mt6 may return a NULL pointer that is dereferenced in ipv6_masked_addr_cmp. This patch avoids such a scenario. Signed-off-by: Aditya Pakki --- net/ipv6/netfilter/ip6t_srh.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/net/ipv6/netfilter/ip6t_srh.c b/net/ipv6/netfilter/ip6t_srh.c index 1059894a6f4c..5a1c0437f74b 100644 --- a/net/ipv6/netfilter/ip6t_srh.c +++ b/net/ipv6/netfilter/ip6t_srh.c @@ -210,9 +210,10 @@ static bool srh1_mt6(const struct sk_buff *skb, struct xt_action_param *par) psidoff = srhoff + sizeof(struct ipv6_sr_hdr) + ((srh->segments_left + 1) * sizeof(struct in6_addr)); psid = skb_header_pointer(skb, psidoff, sizeof(_psid), &_psid); - if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_PSID, + if (psid && + NF_SRH_INVF(srhinfo, IP6T_SRH_INV_PSID, ipv6_masked_addr_cmp(psid, &srhinfo->psid_msk, - &srhinfo->psid_addr))) + &srhinfo->psid_addr))) return false; } @@ -223,7 +224,8 @@ static bool srh1_mt6(const struct sk_buff *skb, struct xt_action_param *par) nsidoff = srhoff + sizeof(struct ipv6_sr_hdr) + ((srh->segments_left - 1) * sizeof(struct in6_addr)); nsid = skb_header_pointer(skb, nsidoff, sizeof(_nsid), &_nsid); - if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_NSID, + if (nsid && + NF_SRH_INVF(srhinfo, IP6T_SRH_INV_NSID, ipv6_masked_addr_cmp(nsid, &srhinfo->nsid_msk, &srhinfo->nsid_addr))) return false; @@ -233,7 +235,8 @@ static bool srh1_mt6(const struct sk_buff *skb, struct xt_action_param *par) if (srhinfo->mt_flags & IP6T_SRH_LSID) { lsidoff = srhoff + sizeof(struct ipv6_sr_hdr); lsid = skb_header_pointer(skb, lsidoff, sizeof(_lsid), &_lsid); - if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_LSID, + if (lsid && + NF_SRH_INVF(srhinfo, IP6T_SRH_INV_LSID, ipv6_masked_addr_cmp(lsid, &srhinfo->lsid_msk, &srhinfo->lsid_addr))) return false; -- 2.17.1