Commit 113661e0 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso
Browse files

netfilter: nf_tables: reject NFT_SET_CONCAT with not field length description 



It is still possible to set on the NFT_SET_CONCAT flag by specifying a
set size and no field description, report EINVAL in such case.

Fixes: 1b6345d4 ("netfilter: nf_tables: check NFT_SET_CONCAT flag if field_count is specified")
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 6b1ca88e

net/netfilter/nf_tables_api.c

+5 −1
Original line number Diff line number Diff line
@@ -5070,11 +5070,15 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info, 
		if (err < 0)

			return err;



		if (desc.field_count > 1 && !(flags & NFT_SET_CONCAT))

		if (desc.field_count > 1) {

			if (!(flags & NFT_SET_CONCAT))

				return -EINVAL;

		} else if (flags & NFT_SET_CONCAT) {

			return -EINVAL;

		}

	} else if (flags & NFT_SET_CONCAT) {

		return -EINVAL;

	}



	if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS])

		desc.expr = true;