Hi, This patch is much smaller and if you confirm this is address the issue, then this is awesome. On Mon, Aug 03, 2020 at 06:31:56PM +0000, William Mcvicker wrote: [...] > diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c > index 31fa94064a62..56d310f8b29a 100644 > --- a/net/netfilter/nf_conntrack_netlink.c > +++ b/net/netfilter/nf_conntrack_netlink.c > @@ -1129,6 +1129,8 @@ ctnetlink_parse_tuple(const struct nlattr * const cda[], > if (!tb[CTA_TUPLE_IP]) > return -EINVAL; > > + if (l3num >= NFPROTO_NUMPROTO) > + return -EINVAL; l3num can only be either NFPROTO_IPV4 or NFPROTO_IPV6. Other than that, bail out with EOPNOTSUPP. Thank you.
