diff mbox series

[net,01/13] netfilter: nf_tables: reject invalid set policy

Message ID 20240118161726.14838-2-pablo@netfilter.org (mailing list archive)
State Accepted
Commit 0617c3de9b4026b87be12b0cb5c35f42c7c66fcb
Delegated to: Netdev Maintainers
Headers show
Series [net,01/13] netfilter: nf_tables: reject invalid set policy | expand

Checks

Context Check Description
netdev/series_format success Pull request is its own cover letter
netdev/tree_selection success Clearly marked for net
netdev/ynl success SINGLE THREAD; Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 1096 this patch: 1096
netdev/cc_maintainers success CCed 0 of 0 maintainers
netdev/build_clang success Errors and warnings before: 1095 this patch: 1095
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 1111 this patch: 1111
netdev/checkpatch warning CHECK: Comparison to NULL could be written "nla[NFTA_SET_POLICY]"
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2024-01-18--21-00 (tests: 403)

Commit Message

Pablo Neira Ayuso Jan. 18, 2024, 4:17 p.m. UTC 
Report -EINVAL in case userspace provides a unsupported set backend
policy.

Fixes: c50b960ccc59 ("netfilter: nf_tables: implement proper set selection")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_tables_api.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

Comments

patchwork-bot+netdevbpf@kernel.org Jan. 18, 2024, 9:10 p.m. UTC | #1 
Hello:

This series was applied to netdev/net.git (main)
by Pablo Neira Ayuso <pablo@netfilter.org>:

On Thu, 18 Jan 2024 17:17:14 +0100 you wrote:
> Report -EINVAL in case userspace provides a unsupported set backend
> policy.
> 
> Fixes: c50b960ccc59 ("netfilter: nf_tables: implement proper set selection")
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
>  net/netfilter/nf_tables_api.c | 10 +++++++++-
>  1 file changed, 9 insertions(+), 1 deletion(-)

Here is the summary with links:
  - [net,01/13] netfilter: nf_tables: reject invalid set policy
    https://git.kernel.org/netdev/net/c/0617c3de9b40
  - [net,02/13] netfilter: nf_tables: validate .maxattr at expression registration
    https://git.kernel.org/netdev/net/c/65b3bd600e15
  - [net,03/13] netfilter: nf_tables: bail out if stateful expression provides no .clone
    https://git.kernel.org/netdev/net/c/3c13725f43dc
  - [net,04/13] netfilter: nft_limit: do not ignore unsupported flags
    https://git.kernel.org/netdev/net/c/91a139cee120
  - [net,05/13] netfilter: nfnetlink_log: use proper helper for fetching physinif
    https://git.kernel.org/netdev/net/c/c3f9fd54cd87
  - [net,06/13] netfilter: nf_queue: remove excess nf_bridge variable
    https://git.kernel.org/netdev/net/c/aeaa44075f8e
  - [net,07/13] netfilter: propagate net to nf_bridge_get_physindev
    https://git.kernel.org/netdev/net/c/a54e72197037
  - [net,08/13] netfilter: bridge: replace physindev with physinif in nf_bridge_info
    https://git.kernel.org/netdev/net/c/9874808878d9
  - [net,09/13] netfilter: nf_tables: check if catch-all set element is active in next generation
    https://git.kernel.org/netdev/net/c/b1db244ffd04
  - [net,10/13] netfilter: nf_tables: do not allow mismatch field size and set key length
    https://git.kernel.org/netdev/net/c/3ce67e3793f4
  - [net,11/13] netfilter: nf_tables: skip dead set elements in netlink dump
    https://git.kernel.org/netdev/net/c/6b1ca88e4bb6
  - [net,12/13] netfilter: nf_tables: reject NFT_SET_CONCAT with not field length description
    https://git.kernel.org/netdev/net/c/113661e07460
  - [net,13/13] ipvs: avoid stat macros calls from preemptible context
    https://git.kernel.org/netdev/net/c/d6938c1c76c6

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 8438a8922e4a..a90a364f5be5 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5048,8 +5048,16 @@  static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
 	}
 
 	desc.policy = NFT_SET_POL_PERFORMANCE;
-	if (nla[NFTA_SET_POLICY] != NULL)
+	if (nla[NFTA_SET_POLICY] != NULL) {
 		desc.policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
+		switch (desc.policy) {
+		case NFT_SET_POL_PERFORMANCE:
+		case NFT_SET_POL_MEMORY:
+			break;
+		default:
+			return -EOPNOTSUPP;
+		}
+	}
 
 	if (nla[NFTA_SET_DESC] != NULL) {
 		err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);