tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: nft_compat: reject unused compat flag

Flag (1 << 0) is ignored is set, never used, reject it it with EINVAL
instead.

Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Pablo Neira Ayuso 292781c3 36fa8d69

+4 -1
+2
include/uapi/linux/netfilter/nf_tables.h
··· 285 285 /** 286 286 * enum nft_rule_compat_flags - nf_tables rule compat flags 287 287 * 288 + * @NFT_RULE_COMPAT_F_UNUSED: unused 288 289 * @NFT_RULE_COMPAT_F_INV: invert the check result 289 290 */ 290 291 enum nft_rule_compat_flags { 292 + NFT_RULE_COMPAT_F_UNUSED = (1 << 0), 291 293 NFT_RULE_COMPAT_F_INV = (1 << 1), 292 294 NFT_RULE_COMPAT_F_MASK = NFT_RULE_COMPAT_F_INV, 293 295 };
+2 -1
net/netfilter/nft_compat.c
··· 212 212 return -EINVAL; 213 213 214 214 flags = ntohl(nla_get_be32(tb[NFTA_RULE_COMPAT_FLAGS])); 215 - if (flags & ~NFT_RULE_COMPAT_F_MASK) 215 + if (flags & NFT_RULE_COMPAT_F_UNUSED || 216 + flags & ~NFT_RULE_COMPAT_F_MASK) 216 217 return -EINVAL; 217 218 if (flags & NFT_RULE_COMPAT_F_INV) 218 219 *inv = true;