On Thu, Mar 17, 2022 at 01:53:13PM +0100, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > Bail out in case userspace uses registers over maximum number of register.
> >
> > Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing")
> > Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> > ---
> > net/netfilter/nf_tables_api.c | 23 ++++++++++++++++++-----
> > 1 file changed, 18 insertions(+), 5 deletions(-)
> >
> > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> > index d71a33ae39b3..829ecd310ae6 100644
> > --- a/net/netfilter/nf_tables_api.c
> > +++ b/net/netfilter/nf_tables_api.c
> > @@ -9275,17 +9275,24 @@ int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
> > }
> > EXPORT_SYMBOL_GPL(nft_parse_u32_check);
> >
> > -static unsigned int nft_parse_register(const struct nlattr *attr)
> > +static unsigned int nft_parse_register(const struct nlattr *attr, u32 *preg)
> > {
> > unsigned int reg;
> >
> > reg = ntohl(nla_get_be32(attr));
> > + if (reg >= NFT_REG32_NUM)
> > + return -ERANGE;
> > +
>
> This breaks userspace.
>
> NFT_REG32_00 is 8, so this makes NFT_REG32_13, 14 and 15 invalid.
Sending v2. Thanks for reviewing
