Commit a412dbf4 authored Jun 21, 2023 by Florian Westphal Committed by Pablo Neira Ayuso Jun 26, 2023

netfilter: nf_tables: limit allowed range via nla_policy



These NLA_U32 types get stored in u8 fields, reject invalid values
instead of silently casting to u8.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent 079cd633

net/netfilter/nft_bitwise.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -86,7 +86,7 @@ static const struct nla_policy nft_bitwise_policy[NFTA_BITWISE_MAX + 1] = {
		[NFTA_BITWISE_LEN] = { .type = NLA_U32 },
		[NFTA_BITWISE_MASK] = { .type = NLA_NESTED },
		[NFTA_BITWISE_XOR] = { .type = NLA_NESTED },
		[NFTA_BITWISE_OP] = { .type = NLA_U32 },
		[NFTA_BITWISE_OP] = NLA_POLICY_MAX(NLA_BE32, 255),
		[NFTA_BITWISE_DATA] = { .type = NLA_NESTED },
		};

net/netfilter/nft_byteorder.c

+3 −3

Original line number	Diff line number	Diff line
		@@ -88,9 +88,9 @@ void nft_byteorder_eval(const struct nft_expr *expr,
		static const struct nla_policy nft_byteorder_policy[NFTA_BYTEORDER_MAX + 1] = {
		[NFTA_BYTEORDER_SREG] = { .type = NLA_U32 },
		[NFTA_BYTEORDER_DREG] = { .type = NLA_U32 },
		[NFTA_BYTEORDER_OP] = { .type = NLA_U32 },
		[NFTA_BYTEORDER_LEN] = { .type = NLA_U32 },
		[NFTA_BYTEORDER_SIZE] = { .type = NLA_U32 },
		[NFTA_BYTEORDER_OP] = NLA_POLICY_MAX(NLA_BE32, 255),
		[NFTA_BYTEORDER_LEN] = NLA_POLICY_MAX(NLA_BE32, 255),
		[NFTA_BYTEORDER_SIZE] = NLA_POLICY_MAX(NLA_BE32, 255),
		};

		static int nft_byteorder_init(const struct nft_ctx *ctx,

net/netfilter/nft_ct.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -332,7 +332,7 @@ static void nft_ct_set_eval(const struct nft_expr *expr,

		static const struct nla_policy nft_ct_policy[NFTA_CT_MAX + 1] = {
		[NFTA_CT_DREG] = { .type = NLA_U32 },
		[NFTA_CT_KEY] = { .type = NLA_U32 },
		[NFTA_CT_KEY] = NLA_POLICY_MAX(NLA_BE32, 255),
		[NFTA_CT_DIRECTION] = { .type = NLA_U8 },
		[NFTA_CT_SREG] = { .type = NLA_U32 },
		};

net/netfilter/nft_dynset.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -148,7 +148,7 @@ static const struct nla_policy nft_dynset_policy[NFTA_DYNSET_MAX + 1] = {
		[NFTA_DYNSET_SET_NAME] = { .type = NLA_STRING,
		.len = NFT_SET_MAXNAMELEN - 1 },
		[NFTA_DYNSET_SET_ID] = { .type = NLA_U32 },
		[NFTA_DYNSET_OP] = { .type = NLA_U32 },
		[NFTA_DYNSET_OP] = NLA_POLICY_MAX(NLA_BE32, 255),
		[NFTA_DYNSET_SREG_KEY] = { .type = NLA_U32 },
		[NFTA_DYNSET_SREG_DATA] = { .type = NLA_U32 },
		[NFTA_DYNSET_TIMEOUT] = { .type = NLA_U64 },

net/netfilter/nft_exthdr.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -487,9 +487,9 @@ static const struct nla_policy nft_exthdr_policy[NFTA_EXTHDR_MAX + 1] = {
		[NFTA_EXTHDR_DREG] = { .type = NLA_U32 },
		[NFTA_EXTHDR_TYPE] = { .type = NLA_U8 },
		[NFTA_EXTHDR_OFFSET] = { .type = NLA_U32 },
		[NFTA_EXTHDR_LEN] = { .type = NLA_U32 },
		[NFTA_EXTHDR_LEN] = NLA_POLICY_MAX(NLA_BE32, 255),
		[NFTA_EXTHDR_FLAGS] = { .type = NLA_U32 },
		[NFTA_EXTHDR_OP] = { .type = NLA_U32 },
		[NFTA_EXTHDR_OP] = NLA_POLICY_MAX(NLA_BE32, 255),
		[NFTA_EXTHDR_SREG] = { .type = NLA_U32 },
		};