netfilter: nf_tables: fix oob access

[mirror_ubuntu-artful-kernel.git] / net / netfilter / xt_REDIRECT.c

diff --git a/net/netfilter/xt_REDIRECT.c b/net/netfilter/xt_REDIRECT.c
index 651dce65a30b5fee461c15e10eadbc54c7e479ae..98a4c6d4f1cb9dc37b0f8839a075050c04287388 100644 (file)
--- a/net/netfilter/xt_REDIRECT.c
+++ b/net/netfilter/xt_REDIRECT.c
@@ -40,7 +40,13 @@ static int redirect_tg6_checkentry(const struct xt_tgchk_param *par)
 
        if (range->flags & NF_NAT_RANGE_MAP_IPS)
                return -EINVAL;
-       return 0;
+
+       return nf_ct_netns_get(par->net, par->family);
+}
+
+static void redirect_tg_destroy(const struct xt_tgdtor_param *par)
+{
+       nf_ct_netns_put(par->net, par->family);
 }
 
 /* FIXME: Take multiple ranges --RR */
@@ -56,7 +62,7 @@ static int redirect_tg4_check(const struct xt_tgchk_param *par)
                pr_debug("bad rangesize %u.\n", mr->rangesize);
                return -EINVAL;
        }
-       return 0;
+       return nf_ct_netns_get(par->net, par->family);
 }
 
 static unsigned int
@@ -72,6 +78,7 @@ static struct xt_target redirect_tg_reg[] __read_mostly = {
                .revision   = 0,
                .table      = "nat",
                .checkentry = redirect_tg6_checkentry,
+               .destroy    = redirect_tg_destroy,
                .target     = redirect_tg6,
                .targetsize = sizeof(struct nf_nat_range),
                .hooks      = (1 << NF_INET_PRE_ROUTING) |
@@ -85,6 +92,7 @@ static struct xt_target redirect_tg_reg[] __read_mostly = {
                .table      = "nat",
                .target     = redirect_tg4,
                .checkentry = redirect_tg4_check,
+               .destroy    = redirect_tg_destroy,
                .targetsize = sizeof(struct nf_nat_ipv4_multi_range_compat),
                .hooks      = (1 << NF_INET_PRE_ROUTING) |
                              (1 << NF_INET_LOCAL_OUT),