summaryrefslogtreecommitdiff
path: root/net/bridge
diff options
context:
space:
mode:
authorThomas Graf <tgraf@suug.ch>2014-04-04 17:57:45 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2014-04-05 17:46:22 +0200
commitc58dd2dd443c26d856a168db108a0cd11c285bf3 (patch)
treefc3b89ed8e66d3f99f9322efc812e8c7bcd60509 /net/bridge
parent2fec6bb6f484b1a88b4a325724234d6cfd08c918 (diff)
netfilter: Can't fail and free after table replacement
All xtables variants suffer from the defect that the copy_to_user() to copy the counters to user memory may fail after the table has already been exchanged and thus exposed. Return an error at this point will result in freeing the already exposed table. Any subsequent packet processing will result in a kernel panic. We can't copy the counters before exposing the new tables as we want provide the counter state after the old table has been unhooked. Therefore convert this into a silent error. Cc: Florian Westphal <fw@strlen.de> Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/bridge')
-rw-r--r--net/bridge/netfilter/ebtables.c5
1 files changed, 2 insertions, 3 deletions
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 0e474b13463b..1059ed3bc255 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1044,10 +1044,9 @@ static int do_replace_finish(struct net *net, struct ebt_replace *repl,
if (repl->num_counters &&
copy_to_user(repl->counters, counterstmp,
repl->num_counters * sizeof(struct ebt_counter))) {
- ret = -EFAULT;
+ /* Silent error, can't fail, new table is already in place */
+ net_warn_ratelimited("ebtables: counters copy to user failed while replacing table\n");
}
- else
- ret = 0;
/* decrease module count and free resources */
EBT_ENTRY_ITERATE(table->entries, table->entries_size,