Commit 8da2810d authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso Committed by Zheng Zengkai
Browse files

netfilter: nf_tables: stricter validation of element data 

mainline inclusion
from mainline-v5.19-rc6
commit 7e6bc1f6
category: bugfix
bugzilla: 187147, https://gitee.com/src-openeuler/kernel/issues/I5GCQH
CVE: CVE-2022-34918

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6



--------------------------------

Make sure element data type and length do not mismatch the one specified
by the set declaration.

Fixes: 7d740264 ("netfilter: nf_tables: variable sized set element keys / data")
Reported-by: default avatarHugues ANGUELKOV <hanguelkov@randorisec.fr>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarLu Wei <luwei32@huawei.com>
Reviewed-by: default avatarYue Haibing <yuehaibing@huawei.com>
Reviewed-by: default avatarXiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: default avatarWei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: default avatarZheng Zengkai <zhengzengkai@huawei.com>
parent a5b6f7c6

net/netfilter/nf_tables_api.c

+8 −1
Original line number Diff line number Diff line
@@ -4880,13 +4880,20 @@ static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set, 
				  struct nft_data *data,

				  struct nlattr *attr)

{

	u32 dtype;

	int err;



	err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr);

	if (err < 0)

		return err;



	if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) {

	if (set->dtype == NFT_DATA_VERDICT)

		dtype = NFT_DATA_VERDICT;

	else

		dtype = NFT_DATA_VALUE;



	if (dtype != desc->type ||

	    set->dlen != desc->len) {

		nft_data_release(data, desc->type);

		return -EINVAL;

	}