netfilter: xtables: avoid BUG_ON

mainline inclusion from mainline-v4.20-rc1 commit 70c0eb1c category: bugfix bugzilla: 51403 CVE: NA ------------------------------------------------- I see no reason for them, label or timer cannot be NULL, and if they were, we'll crash with null deref anyway. For skb_header_pointer failure, just set hotdrop to true and toss such packet. Signed-off-by: N Florian Westphal <fw@strlen.de> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: N Xu Jia <xujia39@huawei.com> Reviewed-by: N Yue Haibing <yuehaibing@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>

netfilter: xtables: avoid BUG_ON
mainline inclusion from mainline-v4.20-rc1 commit 70c0eb1c category: bugfix bugzilla: 51403 CVE: NA ------------------------------------------------- I see no reason for them, label or timer cannot be NULL, and if they were, we'll crash with null deref anyway. For skb_header_pointer failure, just set hotdrop to true and toss such packet. Signed-off-by: N Florian Westphal <fw@strlen.de> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: N Xu Jia <xujia39@huawei.com> Reviewed-by: N Yue Haibing <yuehaibing@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>
b317bddc · Florian Westphal · Yang Yingliang · 0ab24262 · b317bddc · b317bddc
4 changed file
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -65,7 +65,10 @@ ipv6header_mt6(const struct sk_buff *skb, struct xt_action_param *par)
 		}

 		hp = skb_header_pointer(skb, ptr, sizeof(_hdr), &_hdr);
-		BUG_ON(hp == NULL);
+		if (!hp) {
+			par->hotdrop = true;
+			return false;
+		}

 		/* Calculate the header length */
 		if (nexthdr == NEXTHDR_FRAGMENT)

--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -137,7 +137,10 @@ static bool rt_mt6(const struct sk_buff *skb, struct xt_action_param *par)
 							sizeof(_addr),
 							&_addr);

-				BUG_ON(ap == NULL);
+				if (ap == NULL) {
+					par->hotdrop = true;
+					return false;
+				}

 				if (ipv6_addr_equal(ap, &rtinfo->addrs[i])) {
 					pr_debug("i=%d temp=%d;\n", i, temp);
@@ -166,7 +169,10 @@ static bool rt_mt6(const struct sk_buff *skb, struct xt_action_param *par)
 							+ temp * sizeof(_addr),
 							sizeof(_addr),
 							&_addr);
-				BUG_ON(ap == NULL);
+				if (ap == NULL) {
+					par->hotdrop = true;
+					return false;
+				}

 				if (!ipv6_addr_equal(ap, &rtinfo->addrs[temp]))
 					break;

--- a/net/netfilter/xt_IDLETIMER.c
+++ b/net/netfilter/xt_IDLETIMER.c
@@ -68,8 +68,6 @@ struct idletimer_tg *__idletimer_tg_find_by_label(const char *label)
 {
 	struct idletimer_tg *entry;

-	BUG_ON(!label);
-
 	list_for_each_entry(entry, &idletimer_tg_list, entry) {
 		if (!strcmp(label, entry->attr.attr.name))
 			return entry;
@@ -192,8 +190,6 @@ static unsigned int idletimer_tg_target(struct sk_buff *skb,
 	pr_debug("resetting timer %s, timeout period %u\n",
 		 info->label, info->timeout);

-	BUG_ON(!info->timer);
-
 	mod_timer(&info->timer->timer,
 		  msecs_to_jiffies(info->timeout * 1000) + jiffies);


--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -35,8 +35,6 @@ secmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
 	u32 secmark = 0;
 	const struct xt_secmark_target_info *info = par->targinfo;

-	BUG_ON(info->mode != mode);
-
 	switch (mode) {
 	case SECMARK_MODE_SEL:
 		secmark = info->secid;