| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251203132044.57242-1-mlbnkm1@gmail.com>
Date: Wed, 3 Dec 2025 13:20:44 +0000
From: Melbin K Mathew <mlbnkm1@...il.com>
To: pablo@...filter.org,
kadlec@...filter.org,
fw@...len.de
Cc: phil@....cc,
netfilter-devel@...r.kernel.org,
netdev@...r.kernel.org,
Melbin K Mathew <mlbnkm1@...il.com>
Subject: [PATCH] netfilter: nft_set_hash: fix potential NULL deref in nft_rhash_deactivate
In nft_rhash_deactivate(), rhashtable_lookup() may return NULL when the
set element is not found, but the function unconditionally returns
&he->priv.
Dereferencing a member of a NULL pointer is undefined behavior in C.
Although the current struct layout places 'priv' at offset 0 (making
this behave like returning NULL), this is fragile and relies on
implementation details.
Make the NULL case explicit and return NULL when the lookup fails.
Fixes: c07b3b683133 ("netfilter: nf_tables: add rhashtable set backend")
Signed-off-by: Melbin K Mathew <mlbnkm1@...il.com>
---
net/netfilter/nft_set_hash.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
index ba01ce75d6de..9ff25ebf93cf 100644
--- a/net/netfilter/nft_set_hash.c
+++ b/net/netfilter/nft_set_hash.c
@@ -231,6 +231,9 @@ nft_rhash_deactivate(const struct net *net, const struct nft_set *set,
rcu_read_unlock();
+ if (!he)
+ return NULL;
+
return &he->priv;
}
--
2.45.2
Powered by blists - more mailing lists