netfilter: nf_tables: tighten netlink attribute requirements for catch-all elements

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2189550
Upstream Status: commit d4eb7e3

commit d4eb7e3
Author: Pablo Neira Ayuso <[email protected]>
Date:   Mon Apr 17 17:50:28 2023 +0200

    netfilter: nf_tables: tighten netlink attribute requirements for catch-all elements

    If NFT_SET_ELEM_CATCHALL is set on, then userspace provides no set element
    key. Otherwise, bail out with -EINVAL.

    Fixes: aaa3104 ("netfilter: nftables: add catch-all set element support")
    Signed-off-by: Pablo Neira Ayuso <[email protected]>

Signed-off-by: Florian Westphal <[email protected]>

Author: fw-strlen

net/netfilter/nf_tables_api.c

@@ -5921,7 +5921,8 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
 	if (err < 0)
 		return err;
 
-	if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
+	if (((flags & NFT_SET_ELEM_CATCHALL) && nla[NFTA_SET_ELEM_KEY]) ||
+	    (!(flags & NFT_SET_ELEM_CATCHALL) && !nla[NFTA_SET_ELEM_KEY]))
 		return -EINVAL;
 
 	if (flags != 0) {