Skip to content

Commit f6594c3

Browse files
ummakynesummakynes
committed
netfilter: nf_tables: perform type checking for existing sets
If a ruleset declares a set name that matches an existing set in the kernel, then validate that this declaration really refers to the same set, otherwise bail out with EEXIST. Currently, the kernel reports success when adding a set that already exists in the kernel. This usually results in EINVAL errors at a later stage, when the user adds elements to the set, if the set declaration mismatches the existing set representation in the kernel. Add a new function to check that the set declaration really refers to the same existing set in the kernel. Fixes: 9651851 ("netfilter: add nftables") Reported-by: Florian Westphal <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]>
1 parent a8fe415 commit f6594c3

File tree

1 file changed

+35
-1
lines changed

1 file changed

+35
-1
lines changed

net/netfilter/nf_tables_api.c

Lines changed: 35 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4441,6 +4441,34 @@ static int nft_set_expr_alloc(struct nft_ctx *ctx, struct nft_set *set,
44414441
return err;
44424442
}
44434443

4444+
static bool nft_set_is_same(const struct nft_set *set,
4445+
const struct nft_set_desc *desc,
4446+
struct nft_expr *exprs[], u32 num_exprs, u32 flags)
4447+
{
4448+
int i;
4449+
4450+
if (set->ktype != desc->ktype ||
4451+
set->dtype != desc->dtype ||
4452+
set->flags != flags ||
4453+
set->klen != desc->klen ||
4454+
set->dlen != desc->dlen ||
4455+
set->field_count != desc->field_count ||
4456+
set->num_exprs != num_exprs)
4457+
return false;
4458+
4459+
for (i = 0; i < desc->field_count; i++) {
4460+
if (set->field_len[i] != desc->field_len[i])
4461+
return false;
4462+
}
4463+
4464+
for (i = 0; i < num_exprs; i++) {
4465+
if (set->exprs[i]->ops != exprs[i]->ops)
4466+
return false;
4467+
}
4468+
4469+
return true;
4470+
}
4471+
44444472
static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
44454473
const struct nlattr * const nla[])
44464474
{
@@ -4595,10 +4623,16 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
45954623
if (err < 0)
45964624
return err;
45974625

4626+
err = 0;
4627+
if (!nft_set_is_same(set, &desc, exprs, num_exprs, flags)) {
4628+
NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4629+
err = -EEXIST;
4630+
}
4631+
45984632
for (i = 0; i < num_exprs; i++)
45994633
nft_expr_destroy(&ctx, exprs[i]);
46004634

4601-
return 0;
4635+
return err;
46024636
}
46034637

46044638
if (!(info->nlh->nlmsg_flags & NLM_F_CREATE))

0 commit comments

Comments
 (0)