diff mbox series

[nf,2/2] netfilter: nf_tables: missing attribute validation in nf_tables_delflowtable()

Message ID 20180226121605.14655-2-pablo@netfilter.org
State Accepted
Delegated to: Pablo Neira
Headers show
Series [nf,1/2] netfilter: nf_tables: return EBUSY if device already belongs to flowtable | expand

Commit Message

Pablo Neira Ayuso Feb. 26, 2018, 12:16 p.m. UTC 
Return -EINVAL is mandatory attributes are missing.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_tables_api.c | 5 +++++
 1 file changed, 5 insertions(+)
diff mbox series

Patch

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 927c36aa47e6..b05c3471b816 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5152,6 +5152,11 @@  static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
 	struct nft_table *table;
 	struct nft_ctx ctx;
 
+	if (!nla[NFTA_FLOWTABLE_TABLE] ||
+	    (!nla[NFTA_FLOWTABLE_NAME] &&
+	     !nla[NFTA_FLOWTABLE_HANDLE]))
+		return -EINVAL;
+
 	table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
 				       family, genmask);
 	if (IS_ERR(table))