netfilter: nf_tables: reject invalid set policy

author Pablo Neira Ayuso <pablo@netfilter.org>

Wed, 3 Jan 2024 22:34:58 +0000 (23:34 +0100)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Thu, 25 Jan 2024 23:35:59 +0000 (15:35 -0800)
author Pablo Neira Ayuso <pablo@netfilter.org>
Wed, 3 Jan 2024 22:34:58 +0000 (23:34 +0100)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 25 Jan 2024 23:35:59 +0000 (15:35 -0800)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c

index 5200bd8..55cd821 100644 (file)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4990,8 +4990,16 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
         }
  
         desc.policy = NFT_SET_POL_PERFORMANCE;
-       if (nla[NFTA_SET_POLICY] != NULL)
+       if (nla[NFTA_SET_POLICY] != NULL) {
                 desc.policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
+               switch (desc.policy) {
+               case NFT_SET_POL_PERFORMANCE:
+               case NFT_SET_POL_MEMORY:
+                       break;
+               default:
+                       return -EOPNOTSUPP;
+               }
+       }
  
         if (nla[NFTA_SET_DESC] != NULL) {
                 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
author	Pablo Neira Ayuso <pablo@netfilter.org>
	Wed, 3 Jan 2024 22:34:58 +0000 (23:34 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 25 Jan 2024 23:35:59 +0000 (15:35 -0800)