aboutsummaryrefslogtreecommitdiff
path: root/net
diff options
context:
space:
mode:
authorPablo Neira Ayuso2023-04-17 17:50:28 +0200
committerGreg Kroah-Hartman2023-04-26 14:28:34 +0200
commit8e1f40e8f707857a9327dac6fce11dc3a3270117 (patch)
treee7c6beab3205a51e64d288cb098b86114fc1324d /net
parentef87cd81321be22db9fc1c6943935ce365cd3417 (diff)
netfilter: nf_tables: tighten netlink attribute requirements for catch-all elements
[ Upstream commit d4eb7e39929a3b1ff30fb751b4859fc2410702a0 ] If NFT_SET_ELEM_CATCHALL is set on, then userspace provides no set element key. Otherwise, bail out with -EINVAL. Fixes: aaa31047a6d2 ("netfilter: nftables: add catch-all set element support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'net')
-rw-r--r--net/netfilter/nf_tables_api.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 251f4a9fbdb5..12d815b9aa13 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -6040,7 +6040,8 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
if (err < 0)
return err;
- if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
+ if (((flags & NFT_SET_ELEM_CATCHALL) && nla[NFTA_SET_ELEM_KEY]) ||
+ (!(flags & NFT_SET_ELEM_CATCHALL) && !nla[NFTA_SET_ELEM_KEY]))
return -EINVAL;
if (flags != 0) {