Commit fe11e5c4 authored Apr 22, 2026 by Kai Ma Committed by Pablo Neira Ayuso Apr 24, 2026

netfilter: reject zero shift in nft_bitwise



Reject zero shift operands for nft_bitwise left and right shift
expressions during initialization.

The carry propagation logic computes the carry from the adjacent 32-bit
word using BITS_PER_TYPE(u32) - shift. A zero shift operand turns this
into a 32-bit shift, which is undefined behaviour.

Reject zero shift operands in the control plane, alongside the existing
check for values greater than or equal to 32, so malformed rules never
reach the packet path.

Fixes: 567d746b ("netfilter: bitwise: add support for shifts.")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Kai Ma <k4729.23098@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent 4b2b4d7d

net/netfilter/nft_bitwise.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -196,7 +196,8 @@ static int nft_bitwise_init_shift(struct nft_bitwise *priv,
		if (err < 0)
		return err;

		if (priv->data.data[0] >= BITS_PER_TYPE(u32)) {
		if (!priv->data.data[0] \|\|
		priv->data.data[0] >= BITS_PER_TYPE(u32)) {
		nft_data_release(&priv->data, desc.type);
		return -EINVAL;
		}