Unverified Commit 6c2da8ff authored Feb 21, 2024 by openeuler-ci-bot Committed by Gitee Feb 21, 2024

!4550 [sync] PR-4461: netfilter: nf_tables: reject QUEUE/DROP verdict parameters

Merge Pull Request from: @openeuler-sync-bot 
 

Origin pull request: 
https://gitee.com/openeuler/kernel/pulls/4461 
 
PR sync from: Dong Chenchen <dongchenchen2@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/GILLV3F2URBVDIU4TWLOIM7RYKP3BMZO/ 
 
https://gitee.com/src-openeuler/kernel/issues/I90B2K 
 
Link:https://gitee.com/openeuler/kernel/pulls/4550

 

Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com>
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>

parents ecc18b7e 85d610ca

net/netfilter/nf_tables_api.c

+6 −10

Original line number	Diff line number	Diff line
		@@ -8967,16 +8967,10 @@ static int nft_verdict_init(const struct nft_ctx ctx, struct nft_data data,
		data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));

		switch (data->verdict.code) {
		default:
		switch (data->verdict.code & NF_VERDICT_MASK) {
		case NF_ACCEPT:
		case NF_DROP:
		case NF_QUEUE:
		break;
		default:
		return -EINVAL;
		}
		fallthrough;
		case NFT_CONTINUE:
		case NFT_BREAK:
		case NFT_RETURN:
		@@ -9010,6 +9004,8 @@ static int nft_verdict_init(const struct nft_ctx ctx, struct nft_data data,
		chain->use++;
		data->verdict.chain = chain;
		break;
		default:
		return -EINVAL;
		}

		desc->len = sizeof(data->verdict);