| Message ID | 20231215175123.858821-2-cascardo@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | CVE-2023-6817 | expand |
Acked-by: Yuxuan Luo <yuxuan.luo@canonical.com> On 12/15/23 12:51, Thadeu Lima de Souza Cascardo wrote: > From: Florian Westphal <fw@strlen.de> > > Otherwise set elements can be deactivated twice which will cause a crash. > > Reported-by: Xingyuan Mo <hdthky0@gmail.com> > Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") > Signed-off-by: Florian Westphal <fw@strlen.de> > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > (backported from commit 317eb9685095678f2c9f5a8189de698c5354316a) > [cascardo: context conflict due to missing 0e1ea651c9717ddcd8e0648d8468477a31867b0a] > CVE-2023-6817 > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> > --- > net/netfilter/nft_set_pipapo.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c > index c0dcc40de358..3ff31043f714 100644 > --- a/net/netfilter/nft_set_pipapo.c > +++ b/net/netfilter/nft_set_pipapo.c > @@ -2041,6 +2041,9 @@ static void nft_pipapo_walk(const struct nft_ctx *ctx, struct nft_set *set, > > e = f->mt[r].e; > > + if (!nft_set_elem_active(&e->ext, iter->genmask)) > + goto cont; > + > elem.priv = e; > > iter->err = iter->fn(ctx, set, iter, &elem);
diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c index c0dcc40de358..3ff31043f714 100644 --- a/net/netfilter/nft_set_pipapo.c +++ b/net/netfilter/nft_set_pipapo.c @@ -2041,6 +2041,9 @@ static void nft_pipapo_walk(const struct nft_ctx *ctx, struct nft_set *set, e = f->mt[r].e; + if (!nft_set_elem_active(&e->ext, iter->genmask)) + goto cont; + elem.priv = e; iter->err = iter->fn(ctx, set, iter, &elem);