ACK: [SRU Jammy, OEM-6.1, Lunar, Mantic 1/1] netfilter: nft_set_pipapo: skip inactive elements during set walk
Yuxuan Luo
yuxuan.luo at canonical.com
Tue Jan 2 21:02:25 UTC 2024
Acked-by: Yuxuan Luo <yuxuan.luo at canonical.com>
On 12/15/23 12:51, Thadeu Lima de Souza Cascardo wrote:
> From: Florian Westphal <fw at strlen.de>
>
> Otherwise set elements can be deactivated twice which will cause a crash.
>
> Reported-by: Xingyuan Mo <hdthky0 at gmail.com>
> Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges")
> Signed-off-by: Florian Westphal <fw at strlen.de>
> Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
> (backported from commit 317eb9685095678f2c9f5a8189de698c5354316a)
> [cascardo: context conflict due to missing 0e1ea651c9717ddcd8e0648d8468477a31867b0a]
> CVE-2023-6817
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
> ---
> net/netfilter/nft_set_pipapo.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
> index c0dcc40de358..3ff31043f714 100644
> --- a/net/netfilter/nft_set_pipapo.c
> +++ b/net/netfilter/nft_set_pipapo.c
> @@ -2041,6 +2041,9 @@ static void nft_pipapo_walk(const struct nft_ctx *ctx, struct nft_set *set,
>
> e = f->mt[r].e;
>
> + if (!nft_set_elem_active(&e->ext, iter->genmask))
> + goto cont;
> +
> elem.priv = e;
>
> iter->err = iter->fn(ctx, set, iter, &elem);
More information about the kernel-team
mailing list