netfilter: x_tables: fix cgroup matching on non-full sks
While originally only being intended for outgoing traffic, commita00e76349f
("netfilter: x_tables: allow to use cgroup match for LOCAL_IN nf hooks") enabled xt_cgroups for the NF_INET_LOCAL_IN hook as well, in order to allow for nfacct accounting. Besides being currently limited to early demuxes only, commita00e76349f
forgot to add a check if we deal with full sockets, i.e. in this case not with time wait sockets. TCP time wait sockets do not have the same memory layout as full sockets, a lower memory footprint and consequently also don't have a sk_classid member; probing for sk_classid member there could potentially lead to a crash. Fixes:a00e76349f
("netfilter: x_tables: allow to use cgroup match for LOCAL_IN nf hooks") Cc: Alexey Perevalov <a.perevalov@samsung.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
9d0982927e
commit
afb7718016
@ -39,7 +39,7 @@ cgroup_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
||||
{
|
||||
const struct xt_cgroup_info *info = par->matchinfo;
|
||||
|
||||
if (skb->sk == NULL)
|
||||
if (skb->sk == NULL || !sk_fullsock(skb->sk))
|
||||
return false;
|
||||
|
||||
return (info->id == skb->sk->sk_classid) ^ info->invert;
|
||||
|
Loading…
Reference in New Issue
Block a user