netfilter: xt_owner: bail out with EINVAL in case of unsupported flags

author Rahul Dadhich <r.dadhich@samsung.com>

Wed, 28 Aug 2019 13:08:56 +0000 (18:38 +0530)

committer Rahul Dadhich <r.dadhich@samsung.com>

Wed, 28 Aug 2019 13:09:45 +0000 (18:39 +0530)
author Rahul Dadhich <r.dadhich@samsung.com>
Wed, 28 Aug 2019 13:08:56 +0000 (18:38 +0530)
committer Rahul Dadhich <r.dadhich@samsung.com>
Wed, 28 Aug 2019 13:09:45 +0000 (18:39 +0530)
diff --git a/include/uapi/linux/netfilter/xt_owner.h b/include/uapi/linux/netfilter/xt_owner.h

index e7731dc..e5c670d 100644 (file)
--- a/include/uapi/linux/netfilter/xt_owner.h
+++ b/include/uapi/linux/netfilter/xt_owner.h
@@ -10,6 +10,11 @@ enum {
         XT_OWNER_SUPPL_GROUPS = 1 << 3,
  };
  
+#define XT_OWNER_MASK  (XT_OWNER_UID |         \
+                        XT_OWNER_GID |         \
+                        XT_OWNER_SOCKET |      \
+                        XT_OWNER_SUPPL_GROUPS)
+
  struct xt_owner_match_info {
         __u32 uid_min, uid_max;
         __u32 gid_min, gid_max;
diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c

index cbe64cf..88aa4bf 100644 (file)
--- a/net/netfilter/xt_owner.c
+++ b/net/netfilter/xt_owner.c
@@ -22,6 +22,9 @@ static int owner_check(const struct xt_mtchk_param *par)
  {
         struct xt_owner_match_info *info = par->matchinfo;
  
+       if (info->match & ~XT_OWNER_MASK)
+               return -EINVAL;
+
         /* For now only allow adding matches from the initial user namespace */
         if ((info->match & (XT_OWNER_UID|XT_OWNER_GID)) &&
             (current_user_ns() != &init_user_ns))
author	Rahul Dadhich <r.dadhich@samsung.com>
	Wed, 28 Aug 2019 13:08:56 +0000 (18:38 +0530)
committer	Rahul Dadhich <r.dadhich@samsung.com>
	Wed, 28 Aug 2019 13:09:45 +0000 (18:39 +0530)
include/uapi/linux/netfilter/xt_owner.h		patch \| blob \| history
net/netfilter/xt_owner.c		patch \| blob \| history