Commit 1251131c authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso Committed by Ziyang Xuan
Browse files

netfilter: nf_tables: disallow anonymous set with timeout flag 

mainline inclusion
from mainline-v6.8
commit 16603605b667b70da974bea8216c93e7db043bf1
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9AK56


CVE: CVE-2024-26642

--------------------------------

Anonymous sets are never used with timeout from userspace, reject this.
Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work.

Cc: stable@vger.kernel.org
Fixes: 761da293 ("netfilter: nf_tables: add set timeout API support")
Reported-by: default avatarlonial con <kongln9170@gmail.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarZiyang Xuan <william.xuanziyang@huawei.com>
parent ce7ba9ee
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment