diff options
author | Aaron Conole | 2016-09-21 17:35:05 +0200 |
---|---|---|
committer | Pablo Neira Ayuso | 2016-09-24 21:30:19 +0200 |
commit | d4bb5caa9cc1a802ba25f605b24b5640c025806b (patch) | |
tree | 6386a7de4e22bb333ad4bbb0fa7dc92cbc941aa4 /net | |
parent | netfilter: Remove explicit rcu_read_lock in nf_hook_slow (diff) | |
download | kernel-qcow2-linux-d4bb5caa9cc1a802ba25f605b24b5640c025806b.tar.gz kernel-qcow2-linux-d4bb5caa9cc1a802ba25f605b24b5640c025806b.tar.xz kernel-qcow2-linux-d4bb5caa9cc1a802ba25f605b24b5640c025806b.zip |
netfilter: Only allow sane values in nf_register_net_hook
This commit adds an upfront check for sane values to be passed when
registering a netfilter hook. This will be used in a future patch for a
simplified hook list traversal.
Signed-off-by: Aaron Conole <aconole@bytheb.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
-rw-r--r-- | net/netfilter/core.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/net/netfilter/core.c b/net/netfilter/core.c index c8faf8102394..67b74287535d 100644 --- a/net/netfilter/core.c +++ b/net/netfilter/core.c @@ -89,6 +89,11 @@ int nf_register_net_hook(struct net *net, const struct nf_hook_ops *reg) struct nf_hook_entry *entry; struct nf_hook_ops *elem; + if (reg->pf == NFPROTO_NETDEV && + (reg->hooknum != NF_NETDEV_INGRESS || + !reg->dev || dev_net(reg->dev) != net)) + return -EINVAL; + entry = kmalloc(sizeof(*entry), GFP_KERNEL); if (!entry) return -ENOMEM; |