netfilter: nft_compat: check extension hook mask only if set
authorPablo Neira Ayuso <pablo@netfilter.org>
Tue, 18 Jul 2017 18:03:05 +0000 (20:03 +0200)
committerPablo Neira Ayuso <pablo@netfilter.org>
Wed, 19 Jul 2017 09:53:30 +0000 (11:53 +0200)
If the x_tables extension comes with no hook mask, skip this validation.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/netfilter/nft_compat.c

index f5a7cb68694e76db73dec897ad51305f29bb8981..b89f4f65b2a0fbbcd725001e58ae373ab2c3156b 100644 (file)
@@ -305,7 +305,7 @@ static int nft_target_validate(const struct nft_ctx *ctx,
                const struct nf_hook_ops *ops = &basechain->ops[0];
 
                hook_mask = 1 << ops->hooknum;
-               if (!(hook_mask & target->hooks))
+               if (target->hooks && !(hook_mask & target->hooks))
                        return -EINVAL;
 
                ret = nft_compat_chain_validate_dependency(target->table,
@@ -484,7 +484,7 @@ static int nft_match_validate(const struct nft_ctx *ctx,
                const struct nf_hook_ops *ops = &basechain->ops[0];
 
                hook_mask = 1 << ops->hooknum;
-               if (!(hook_mask & match->hooks))
+               if (match->hooks && !(hook_mask & match->hooks))
                        return -EINVAL;
 
                ret = nft_compat_chain_validate_dependency(match->table,