Hi!
From: Pablo Neira Ayuso pablo@netfilter.org
commit 826035498ec14b77b62a44f0cb6b94d45530db6f upstream.
This new helper function validates that unknown family and chain type coming from userspace do not trigger an out-of-bound array access. Bail out in case __nft_chain_type_get() returns NULL from nft_chain_parse_hook().
+++ b/net/netfilter/nf_tables_api.c @@ -472,14 +472,27 @@ static inline u64 nf_tables_alloc_handle static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX]; static const struct nft_chain_type * +__nft_chain_type_get(u8 family, enum nft_chain_types type) +{
- if (family >= NFPROTO_NUMPROTO ||
type >= NFT_CHAIN_T_MAX)return NULL;- return chain_type[family][type];
+}
Are enum types guaranteed to be unsigned on all compilers we care about? Google says they can be signed, too. So, should the test be "((unsigned int) type) >= ..." ?
Best regards, Pavel