Hi Will, Pablo is going to add the latest patch to the nf.git tree. Once that happens, I'm going to propose the patch in nf.git get cherry-picked to the -stable branches. Thanks, Will On Tue, Sep 1, 2020 at 8:36 AM Will Deacon <will@xxxxxxxxxx> wrote: > > Hi Will, Pablo, > > On Tue, Aug 04, 2020 at 01:37:11PM +0200, Pablo Neira Ayuso wrote: > > This patch is much smaller and if you confirm this is address the > > issue, then this is awesome. > > Did that ever get confirmed? AFAICT, nothing ended up landing in the stable > trees for this. > > Cheers, > > Will > > > > On Mon, Aug 03, 2020 at 06:31:56PM +0000, William Mcvicker wrote: > > [...] > > > diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c > > > index 31fa94064a62..56d310f8b29a 100644 > > > --- a/net/netfilter/nf_conntrack_netlink.c > > > +++ b/net/netfilter/nf_conntrack_netlink.c > > > @@ -1129,6 +1129,8 @@ ctnetlink_parse_tuple(const struct nlattr * const cda[], > > > if (!tb[CTA_TUPLE_IP]) > > > return -EINVAL; > > > > > > + if (l3num >= NFPROTO_NUMPROTO) > > > + return -EINVAL; > > > > l3num can only be either NFPROTO_IPV4 or NFPROTO_IPV6. > > > > Other than that, bail out with EOPNOTSUPP. > > > > Thank you.
