From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4AFDFC8C8; Mon, 11 Dec 2023 18:47:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="GQGZgJ+E" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C11F5C433C8; Mon, 11 Dec 2023 18:46:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1702320420; bh=5MLRa4IMNl9eyyvrh/amxUN2rLQvax+lL7BeAK7Ok2o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=GQGZgJ+EnasUW3B9OiUEDax42QA29Q2KS/pvB3l6xSDrk93OJk4W2vXw05wvrMK4I k8/u6CXeC9shr4rrcCODu6y+0bzVaqRRl2Ja3vEnqAeBHHRQnjztPEg8fl1pN+fydQ zo1yoI5BEnMgKXNE5VtH0CHQ30Gzz7oxqFg4HEJ0= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Xingyuan Mo , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 6.1 055/194] netfilter: nf_tables: bail out on mismatching dynset and set expressions Date: Mon, 11 Dec 2023 19:20:45 +0100 Message-ID: <20231211182039.010726284@linuxfoundation.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231211182036.606660304@linuxfoundation.org> References: <20231211182036.606660304@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.1-stable review patch. If anyone has any objections, please let me know. ------------------ From: Pablo Neira Ayuso [ Upstream commit 3701cd390fd731ee7ae8b8006246c8db82c72bea ] If dynset expressions provided by userspace is larger than the declared set expressions, then bail out. Fixes: 48b0ae046ee9 ("netfilter: nftables: netlink support for several set element expressions") Reported-by: Xingyuan Mo Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/netfilter/nft_dynset.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c index cf9a1ae87d9b1..a470e5f612843 100644 --- a/net/netfilter/nft_dynset.c +++ b/net/netfilter/nft_dynset.c @@ -279,10 +279,15 @@ static int nft_dynset_init(const struct nft_ctx *ctx, priv->expr_array[i] = dynset_expr; priv->num_exprs++; - if (set->num_exprs && - dynset_expr->ops != set->exprs[i]->ops) { - err = -EOPNOTSUPP; - goto err_expr_free; + if (set->num_exprs) { + if (i >= set->num_exprs) { + err = -EINVAL; + goto err_expr_free; + } + if (dynset_expr->ops != set->exprs[i]->ops) { + err = -EOPNOTSUPP; + goto err_expr_free; + } } i++; } -- 2.42.0