!10894 v2 netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers (c75f8130) · Commits · EulixOS / Software / Kernel

include/net/netfilter/nf_tables.h

+5 −0

Original line number	Diff line number	Diff line
		@@ -438,6 +438,11 @@ static inline void nft_set_priv(const struct nft_set set)
		return (void *)set->data;
		}

		static inline enum nft_data_types nft_set_datatype(const struct nft_set *set)
		{
		return set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE;
		}

		static inline struct nft_set nft_set_container_of(const void priv)
		{
		return (void *)priv - offsetof(struct nft_set, data);

+4 −4

Original line number	Diff line number	Diff line
		@@ -3961,8 +3961,7 @@ static int nf_tables_fill_setelem(struct sk_buff *skb,

		if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
		nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
		set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
		set->dlen) < 0)
		nft_set_datatype(set), set->dlen) < 0)
		goto nla_put_failure;

		if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
		@@ -7174,6 +7173,9 @@ int nft_validate_register_store(const struct nft_ctx *ctx,

		return 0;
		default:
		if (type != NFT_DATA_VALUE)
		return -EINVAL;

		if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
		return -EINVAL;
		if (len == 0)
		@@ -7182,8 +7184,6 @@ int nft_validate_register_store(const struct nft_ctx *ctx,
		FIELD_SIZEOF(struct nft_regs, data))
		return -ERANGE;

		if (data != NULL && type != NFT_DATA_VALUE)
		return -EINVAL;
		return 0;
		}
		}

+1 −1

Original line number	Diff line number	Diff line
		@@ -102,7 +102,7 @@ static int nft_lookup_init(const struct nft_ctx *ctx,

		priv->dreg = nft_parse_register(tb[NFTA_LOOKUP_DREG]);
		err = nft_validate_register_store(ctx, priv->dreg, NULL,
		set->dtype, set->dlen);
		nft_set_datatype(set), set->dlen);
		if (err < 0)
		return err;
		} else if (set->flags & NFT_SET_MAP)