Chen Yufeng <chenyufeng@xxxxxxxxx> wrote:
> The number of `expr` expressions provided by userspace may exceed the
> declared set expressions, potentially leading to errors or undefined behavior.
> This patch addresses the issue by validating whether i exceeds
> set->num_exprs.
Its already tested?
Please explain why this isn't enough and/or provide splat/backtrace.
nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) {
if (i == NFT_SET_EXPR_MAX ||
(set->num_exprs && set->num_exprs == i)) {
err = -E2BIG;
goto err_set_elem_expr;
}
if (nla_type(tmp) != NFTA_LIST_ELEM) {
err = -EINVAL;
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index 58c5425d61c2..958a7c8b0b4c 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
> @@ -7338,9 +7338,15 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
> expr_array[i] = expr;
> num_exprs++;
>
> - if (set->num_exprs && expr->ops != set->exprs[i]->ops) {
> - err = -EOPNOTSUPP;
> - goto err_set_elem_expr;
> + if (set->num_exprs) {
> + if (i >= set->num_exprs) {
> + err = -EINVAL;
> + goto err_set_elem_expr;
> + }
I don't see how we can hit the if (set->num_exprs && conditional with
i == set->num_exprs.
