netfilter: nf_tables: bail out on mismatching dynset and set expressions

gvrose8192 · gvrose8192 · commit 789fbe038d61 · 2024-11-05T17:07:55.000-08:00
jira VULN-683 cve CVE-2023-6622 commit-author Pablo Neira Ayuso <pablo@netfilter.org> commit 3701cd3 If dynset expressions provided by userspace is larger than the declared set expressions, then bail out. Fixes: 48b0ae0 ("netfilter: nftables: netlink support for several set element expressions") Reported-by: Xingyuan Mo <hdthky0@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit 3701cd3) Signed-off-by: Greg Rose <g.v.rose@ciq.com>
diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
@@ -274,10 +274,15 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
 			priv->expr_array[i] = dynset_expr;
 			priv->num_exprs++;
 
-			if (set->num_exprs &&
-			    dynset_expr->ops != set->exprs[i]->ops) {
-				err = -EOPNOTSUPP;
-				goto err_expr_free;
+			if (set->num_exprs) {
+				if (i >= set->num_exprs) {
+					err = -EINVAL;
+					goto err_expr_free;
+				}
+				if (dynset_expr->ops != set->exprs[i]->ops) {
+					err = -EOPNOTSUPP;
+					goto err_expr_free;
+				}
 			}
 			i++;
 		}
