netfilter: nf_tables: disallow anonymous set with timeout flag

gvrose8192 · gvrose8192 · commit adc34783998c · 2024-11-04T11:39:41.000-08:00
jira VULN-827 cve CVE-2024-26642 commit-author Pablo Neira Ayuso <pablo@netfilter.org> commit 1660360 Anonymous sets are never used with timeout from userspace, reject this. Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work. Cc: stable@vger.kernel.org Fixes: 761da29 ("netfilter: nf_tables: add set timeout API support") Reported-by: lonial con <kongln9170@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit 1660360) Signed-off-by: Greg Rose <g.v.rose@ciq.com>
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
@@ -4152,6 +4152,9 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk,
 		if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
 			     (NFT_SET_EVAL | NFT_SET_OBJECT))
 			return -EOPNOTSUPP;
+		if ((flags & (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT | NFT_SET_EVAL)) ==
+			     (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT))
+			return -EOPNOTSUPP;
 	}
 
 	dtype = 0;

Original file line number	Diff line number	Diff line change
`@@ -4152,6 +4152,9 @@ static int nf_tables_newset(struct net net, struct sock nlsk,`
`4152`	`4152`	`if ((flags & (NFT_SET_EVAL \| NFT_SET_OBJECT)) ==`
`4153`	`4153`	`(NFT_SET_EVAL \| NFT_SET_OBJECT))`
`4154`	`4154`	`return -EOPNOTSUPP;`
	`4155`	`+ if ((flags & (NFT_SET_ANONYMOUS \| NFT_SET_TIMEOUT \| NFT_SET_EVAL)) ==`
	`4156`	`+ (NFT_SET_ANONYMOUS \| NFT_SET_TIMEOUT))`
	`4157`	`+ return -EOPNOTSUPP;`
`4155`	`4158`	`}`
`4156`	`4159`
`4157`	`4160`	`dtype = 0;`