netfilter: nft_rbtree: ignore inactive matching element with no descendants

If we find a matching element that is inactive with no descendants, we jump to the found label, then crash because of nul-dereference on the left branch. Fix this by checking that the element is active and not an interval end and skipping the logic that only applies to the tree iteration. Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org> Tested-by: N Anders K. Pedersen <akp@akp.dk>

netfilter: nft_rbtree: ignore inactive matching element with no descendants
If we find a matching element that is inactive with no descendants, we jump to the found label, then crash because of nul-dereference on the left branch. Fix this by checking that the element is active and not an interval end and skipping the logic that only applies to the tree iteration. Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org> Tested-by: N Anders K. Pedersen <akp@akp.dk>
c1eda3c6 · Pablo Neira Ayuso · 2c86943c · c1eda3c6
隐藏空白更改
内联并排

Showing with 6 addition and 4 deletion

net/netfilter/nft_rbtree.c net/netfilter/nft_rbtree.c +6 -4

未找到文件。
--- a/net/netfilter/nft_rbtree.c
+++ b/net/netfilter/nft_rbtree.c
@@ -70,7 +70,6 @@ static bool nft_rbtree_lookup(const struct net *net, const struct nft_set *set,
 		} else if (d > 0)
 			parent = parent->rb_right;
 		else {
-found:
 			if (!nft_set_elem_active(&rbe->ext, genmask)) {
 				parent = parent->rb_left;
 				continue;
@@ -84,9 +83,12 @@ static bool nft_rbtree_lookup(const struct net *net, const struct nft_set *set,
 		}
 	}

-	if (set->flags & NFT_SET_INTERVAL && interval != NULL) {
-		rbe = interval;
-		goto found;
+	if (set->flags & NFT_SET_INTERVAL && interval != NULL &&
+	    nft_set_elem_active(&interval->ext, genmask) &&
+	    !nft_rbtree_interval_end(interval)) {
+		spin_unlock_bh(&nft_rbtree_lock);
+		*ext = &interval->ext;
+		return true;
 	}
 out:
 	spin_unlock_bh(&nft_rbtree_lock);