Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp508368pxv; Thu, 24 Jun 2021 12:59:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy6YQs56bD2hu/6EYLAybnE6sVUAvC10ZxktCoWoXn5P35upqxmAPfWtAEAFsyBzPztnT0j X-Received: by 2002:a6b:3b16:: with SMTP id i22mr5491400ioa.36.1624564783785; Thu, 24 Jun 2021 12:59:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1624564783; cv=none; d=google.com; s=arc-20160816; b=zdasGcfO8aBczrfZsxB7jWm33/cGGQIiX1NuHjbu14PC9ZorjKdnI1x8haSUBfPzzY kEj3XIuzSktJCKMNjMZCHJ7GoYJYuNsbTu7kznTJy7hVf+PRcv8vPa90iXWBosqMleYl UVklqKTppUJwb9LdrixcA3M15mX89mK5d2uQrOUpZen0AKrtshXX6ce78kbTs+WwUefU qstw1VFPldaLZYlnse3bRZk4HAYxZyY1Cz4WE6lImvvWPcC4dYg6/5B+G7+Hdtb/7ejL khmHe0ebpYPZ2rWXaSBxsiI3SpEOnktWDk5mPcUD/1ZRUnlkfVSxxjH+lo/Ya4pjFXRk Z2hA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=iL/nnx22po4e16GfIybOVTU2bET9WEBRKU87sa3ZR28=; b=wzx8umxxhDjLQtD3V0ekAtUwAnccpJyJzHYp3xqXew2aurJgLHAJADYI1Wg+BVd5+f 0kuHPBRxQ8dcocLnqjuLvb6sAnpaIaWV4sGrr7KcGR7NMoa2XHGab5zUhzrDIYT+vydv KmTqkPUicMLmqQjffflz2kUV4YMvE7Rl+PI2VX028oh0opFH/1iTJJxj95ANagvsi17/ hSOaDStW/ogfPUXwbs5ry3KwTErzbHN5UDC88OrIYQat0c4liTq9vXOAmFGLgLnwEWRb Zaf5XsW63wlB81W8xSfWLg2Nu2bVOinGSIqe8b9LfENlddMxXesghH+O1yOjuxwXud2C bcEQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h5si4026747iol.44.2021.06.24.12.59.27; Thu, 24 Jun 2021 12:59:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232797AbhFXT7p (ORCPT + 99 others); Thu, 24 Jun 2021 15:59:45 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:48621 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232178AbhFXT7n (ORCPT ); Thu, 24 Jun 2021 15:59:43 -0400 Received: from 1.general.cking.uk.vpn ([10.172.193.212] helo=localhost) by youngberry.canonical.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1lwVTT-00047p-DD; Thu, 24 Jun 2021 19:57:19 +0000 From: Colin King To: Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , "David S . Miller" , Jakub Kicinski , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH][next] netfilter: nf_tables: Fix dereference of null pointer flow Date: Thu, 24 Jun 2021 20:57:18 +0100 Message-Id: <20210624195718.170796-1-colin.king@canonical.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Colin Ian King In the case where chain->flags & NFT_CHAIN_HW_OFFLOAD is false then nft_flow_rule_create is not called and flow is NULL. The subsequent error handling execution via label err_destroy_flow_rule will lead to a null pointer dereference on flow when calling nft_flow_rule_destroy. Since the error path to err_destroy_flow_rule has to cater for null and non-null flows, only call nft_flow_rule_destroy if flow is non-null to fix this issue. Addresses-Coverity: ("Explicity null dereference") Fixes: 3c5e44622011 ("netfilter: nf_tables: memleak in hw offload abort path") Signed-off-by: Colin Ian King --- net/netfilter/nf_tables_api.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 390d4466567f..de182d1f7c4e 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -3446,7 +3446,8 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, return 0; err_destroy_flow_rule: - nft_flow_rule_destroy(flow); + if (flow) + nft_flow_rule_destroy(flow); err_release_rule: nf_tables_rule_release(&ctx, rule); err_release_expr: -- 2.31.1