netfilter: nf_tables: stricter validation of element data

Make sure element data type and length do not mismatch the one specified by the set declaration. Fixes: 7d74026 ("netfilter: nf_tables: variable sized set element keys / data") Reported-by: Hugues ANGUELKOV <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]>
larsclausen · Jul 18, 2022 · 487e664 · 487e664
1 parent b7ba9c5
commit 487e664
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
@@ -5213,13 +5213,20 @@ static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
 				  struct nft_data *data,
 				  struct nlattr *attr)
 {
+	u32 dtype;
 	int err;
 
 	err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr);
 	if (err < 0)
 		return err;
 
-	if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) {
+	if (set->dtype == NFT_DATA_VERDICT)
+		dtype = NFT_DATA_VERDICT;
+	else
+		dtype = NFT_DATA_VALUE;
+
+	if (dtype != desc->type ||
+	    set->dlen != desc->len) {
 		nft_data_release(data, desc->type);
 		return -EINVAL;
 	}