netfilter: nf_tables: reject NFT_SET_ELEM_INTERVAL_END flag for non-interval sets

kaber · ummakynes · commit 55df35d22fe3 · 2015-03-22T19:50:35.000+01:00
Signed-off-by: Patrick McHardy &lt;kaber@trash.net&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
@@ -3138,6 +3138,9 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
 		elem.flags = ntohl(nla_get_be32(nla[NFTA_SET_ELEM_FLAGS]));
 		if (elem.flags & ~NFT_SET_ELEM_INTERVAL_END)
 			return -EINVAL;
+		if (!(set->flags & NFT_SET_INTERVAL) &&
+		    elem.flags & NFT_SET_ELEM_INTERVAL_END)
+			return -EINVAL;
 	}
 
 	if (set->flags & NFT_SET_MAP) {

Original file line number	Diff line number	Diff line change
`@@ -3138,6 +3138,9 @@ static int nft_add_set_elem(struct nft_ctx ctx, struct nft_set set,`
`3138`	`3138`	`elem.flags = ntohl(nla_get_be32(nla[NFTA_SET_ELEM_FLAGS]));`
`3139`	`3139`	`if (elem.flags & ~NFT_SET_ELEM_INTERVAL_END)`
`3140`	`3140`	`return -EINVAL;`
	`3141`	`+ if (!(set->flags & NFT_SET_INTERVAL) &&`
	`3142`	`+ elem.flags & NFT_SET_ELEM_INTERVAL_END)`
	`3143`	`+ return -EINVAL;`
`3141`	`3144`	`}`
`3142`	`3145`
`3143`	`3146`	`if (set->flags & NFT_SET_MAP) {`