Unverified Commit 162d8dcc authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!4461 netfilter: nf_tables: reject QUEUE/DROP verdict parameters 

Merge Pull Request from: @ci-robot 
 
PR sync from: Dong Chenchen <dongchenchen2@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/GILLV3F2URBVDIU4TWLOIM7RYKP3BMZO/ 
 
https://gitee.com/src-openeuler/kernel/issues/I90B2K 
 
Link:https://gitee.com/openeuler/kernel/pulls/4461

 

Reviewed-by: default avatarYue Haibing <yuehaibing@huawei.com>
Signed-off-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
parents 176b28d6 7d513cc1

net/netfilter/nf_tables_api.c

+6 −10
Original line number Diff line number Diff line
@@ -8972,16 +8972,10 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, 
	data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));



	switch (data->verdict.code) {

	default:

		switch (data->verdict.code & NF_VERDICT_MASK) {

	case NF_ACCEPT:

	case NF_DROP:

	case NF_QUEUE:

		break;

		default:

			return -EINVAL;

		}

		fallthrough;

	case NFT_CONTINUE:

	case NFT_BREAK:

	case NFT_RETURN:
@@ -9015,6 +9009,8 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, 
		chain->use++;

		data->verdict.chain = chain;

		break;

	default:

		return -EINVAL;

	}



	desc->len = sizeof(data->verdict);