NETFILTER: arp_tables: missing unregistration on module unload

[karo-tx-linux.git] / net / ipv4 / netfilter / arp_tables.c

diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index afe3d8f8177d7df83df0264e20f3072077ff1317..fc33816033b3884589b89fedbd0a4ec504d0e4e8 100644 (file)
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -236,7 +236,7 @@ unsigned int arpt_do_table(struct sk_buff **pskb,
        struct arpt_entry *e, *back;
        const char *indev, *outdev;
        void *table_base;
-       struct xt_table_info *private = table->private;
+       struct xt_table_info *private;
 
        /* ARP header, plus 2 device addresses, plus 2 IP addresses.  */
        if (!pskb_may_pull((*pskb), (sizeof(struct arphdr) +
@@ -248,6 +248,7 @@ unsigned int arpt_do_table(struct sk_buff **pskb,
        outdev = out ? out->name : nulldevname;
 
        read_lock_bh(&table->lock);
+       private = table->private;
        table_base = (void *)private->entries[smp_processor_id()];
        e = get_entry(table_base, private->hook_entry[hook]);
        back = get_entry(table_base, private->underflow[hook]);
@@ -771,7 +772,7 @@ static int get_entries(const struct arpt_get_entries *entries,
        struct arpt_table *t;
 
        t = xt_find_table_lock(NF_ARP, entries->name);
-       if (t || !IS_ERR(t)) {
+       if (t && !IS_ERR(t)) {
                struct xt_table_info *private = t->private;
                duprintf("t->private->number = %u\n",
                         private->number);
@@ -807,6 +808,13 @@ static int do_replace(void __user *user, unsigned int len)
        if (len != sizeof(tmp) + tmp.size)
                return -ENOPROTOOPT;
 
+       /* overflow check */
+       if (tmp.size >= (INT_MAX - sizeof(struct xt_table_info)) / NR_CPUS -
+                       SMP_CACHE_BYTES)
+               return -ENOMEM;
+       if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
+               return -ENOMEM;
+
        newinfo = xt_alloc_table_info(tmp.size);
        if (!newinfo)
                return -ENOMEM;
@@ -934,7 +942,7 @@ static int do_add_counters(void __user *user, unsigned int len)
 
        write_lock_bh(&t->lock);
        private = t->private;
-       if (private->number != paddc->num_counters) {
+       if (private->number != tmp.num_counters) {
                ret = -EINVAL;
                goto unlock_up_free;
        }
@@ -1172,6 +1180,8 @@ static int __init init(void)
 static void __exit fini(void)
 {
        nf_unregister_sockopt(&arpt_sockopts);
+       xt_unregister_target(NF_ARP, &arpt_error_target);
+       xt_unregister_target(NF_ARP, &arpt_standard_target);
        xt_proto_fini(NF_ARP);
 }