netfilter: nf_tables: tighten netlink attribute requirements for catch-all elements

If NFT_SET_ELEM_CATCHALL is set on, then userspace provides no set element key. Otherwise, bail out with -EINVAL. Fixes: aaa31047a6d2 ("netfilter: nftables: add catch-all set element support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso 2023-04-17 17:50:28 +0200
committer: Pablo Neira Ayuso 2023-04-18 09:30:21 +0200
commit: d4eb7e39929a3b1ff30fb751b4859fc2410702a0 (patch)
tree: 21ad87ff5ed6697d9c2c22b01418da907433d35d /net
parent: d46fc894147cf98dd6e8210aa99ed46854191840 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 98043e83af71..e48ab8dfb541 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -6108,7 +6108,8 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
 	if (err < 0)
 		return err;
 
-	if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
+	if (((flags & NFT_SET_ELEM_CATCHALL) && nla[NFTA_SET_ELEM_KEY]) ||
+	    (!(flags & NFT_SET_ELEM_CATCHALL) && !nla[NFTA_SET_ELEM_KEY]))
 		return -EINVAL;
 
 	if (flags != 0) {
author	Pablo Neira Ayuso	2023-04-17 17:50:28 +0200
committer	Pablo Neira Ayuso	2023-04-18 09:30:21 +0200
commit	d4eb7e39929a3b1ff30fb751b4859fc2410702a0 (patch)
tree	21ad87ff5ed6697d9c2c22b01418da907433d35d /net
parent	d46fc894147cf98dd6e8210aa99ed46854191840 (diff)