Commit 5c538437 authored by Florian Westphal's avatar Florian Westphal Committed by Lee Jones
Browse files

UPSTREAM: netfilter: nft_set_rbtree: fix null deref on element insertion 



commit 61ae320a upstream.

There is no guarantee that rb_prev() will not return NULL in nft_rbtree_gc_elem():

general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
 nft_add_set_elem+0x14b0/0x2990
  nf_tables_newsetelem+0x528/0xb30

Furthermore, there is a possible use-after-free while iterating,
'node' can be free'd so we need to cache the next value to use.

Bug: 299922216
Fixes: c9e6978e ("netfilter: nft_set_rbtree: Switch to node list walk for overlap detection")
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 899aa563)
Signed-off-by: default avatarLee Jones <joneslee@google.com>
Change-Id: I92ea38718b5df46a930258f5acc93e2fa80ca60d
parent cb69ab1e
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment