On Mon, Sep 08, 2025 at 10:08:44PM +0800, Chen Yufeng wrote:
> The number of `expr` expressions provided by userspace may exceed the
> declared set expressions, potentially leading to errors or undefined behavior.
> This patch addresses the issue by validating whether i exceeds
> set->num_exprs.
} else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) {
struct nft_expr *expr;
struct nlattr *tmp;
int left;
i = 0;
nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) {
if (i == NFT_SET_EXPR_MAX ||
(set->num_exprs && set->num_exprs == i)) {
There is this a upfront check to validate what you describe.
Are you reporting a different issue?
> This patch is inspired by commit 3701cd390fd7("netfilter: nf_tables:
> bail out on mismatching dynset and set expressions").
>
> Signed-off-by: Chen Yufeng <chenyufeng@xxxxxxxxx>
> ---
> net/netfilter/nf_tables_api.c | 12 +++++++++---
> 1 file changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index 58c5425d61c2..958a7c8b0b4c 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
> @@ -7338,9 +7338,15 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
> expr_array[i] = expr;
> num_exprs++;
>
> - if (set->num_exprs && expr->ops != set->exprs[i]->ops) {
> - err = -EOPNOTSUPP;
> - goto err_set_elem_expr;
> + if (set->num_exprs) {
> + if (i >= set->num_exprs) {
> + err = -EINVAL;
> + goto err_set_elem_expr;
> + }
> + if (expr->ops != set->exprs[i]->ops) {
> + err = -EOPNOTSUPP;
> + goto err_set_elem_expr;
> + }
> }
> i++;
> }
> --
> 2.34.1
>
