Commit bd7fc645 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso

netfilter: nf_tables: do not allow NFT_SET_ELEM_INTERVAL_END flag and data

This combination is not allowed since end interval elements cannot
contain data.
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Acked-by: default avatarPatrick McHardy <kaber@trash.net>
parent 0165d932
...@@ -2741,6 +2741,9 @@ static int nft_add_set_elem(const struct nft_ctx *ctx, struct nft_set *set, ...@@ -2741,6 +2741,9 @@ static int nft_add_set_elem(const struct nft_ctx *ctx, struct nft_set *set,
if (nla[NFTA_SET_ELEM_DATA] == NULL && if (nla[NFTA_SET_ELEM_DATA] == NULL &&
!(elem.flags & NFT_SET_ELEM_INTERVAL_END)) !(elem.flags & NFT_SET_ELEM_INTERVAL_END))
return -EINVAL; return -EINVAL;
if (nla[NFTA_SET_ELEM_DATA] != NULL &&
elem.flags & NFT_SET_ELEM_INTERVAL_END)
return -EINVAL;
} else { } else {
if (nla[NFTA_SET_ELEM_DATA] != NULL) if (nla[NFTA_SET_ELEM_DATA] != NULL)
return -EINVAL; return -EINVAL;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment