netfilter: nft_set_pipapo: skip inactive elements during set walk

JIRA: https://issues.redhat.com/browse/RHEL-19722
Upstream Status: commit 317eb96
CVE: CVE-2023-6817

Conflicts: context only.

commit 317eb96
Author: Florian Westphal <[email protected]>
Date:   Fri Dec 1 15:47:13 2023 +0100

    netfilter: nft_set_pipapo: skip inactive elements during set walk

    Otherwise set elements can be deactivated twice which will cause a crash.

    Reported-by: Xingyuan Mo <[email protected]>
    Fixes: 3c4287f ("nf_tables: Add set type for arbitrary concatenation of ranges")
    Signed-off-by: Florian Westphal <[email protected]>
    Signed-off-by: Pablo Neira Ayuso <[email protected]>

Signed-off-by: Florian Westphal <[email protected]>

Author: fw-strlen

net/netfilter/nft_set_pipapo.c

@@ -2050,6 +2050,9 @@ static void nft_pipapo_walk(const struct nft_ctx *ctx, struct nft_set *set,
 
 		e = f->mt[r].e;
 
+		if (!nft_set_elem_active(&e->ext, iter->genmask))
+			goto cont;
+
 		elem.priv = &e->priv;
 
 		iter->err = iter->fn(ctx, set, iter, &elem);