Hi, The following patchset contains Netfilter fixes for net: 1) Harden set element field checks to avoid out-of-bound memory access, this patch also fixes the type of issue described in 7e6bc1f6cabc ("netfilter: nf_tables: stricter validation of element data") in a broader way. 2) Patches to restrict the chain, set, and rule id lookup in the transaction to the corresponding top-level table, patches from Thadeu Lima de Souza Cascardo. 3) Fix incorrect comment in ip6t_LOG.h 4) nft_data_init() performs upfront validation of the expected data. struct nft_data_desc is used to describe the expected data to be received from userspace. The .size field represents the maximum size that can be stored, for bound checks. Then, .len is an input/output field which stores the expected length as input (this is optional, to restrict the checks), as output it stores the real length received from userspace (if it was not specified as input). This patch comes in response to 7e6bc1f6cabc ("netfilter: nf_tables: stricter validation of element data") to address this type of issue in a more generic way by avoid opencoded data validation. Next patch requires this as a dependency. 5) Disallow jump to implicit chain from set element, this configuration is invalid. Only allow jump to chain via immediate expression is supported at this stage. 6) Fix possible null-pointer derefence in the error path of table updates, if memory allocation of the transaction fails. From Florian Westphal. Please, pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git Thanks. ---------------------------------------------------------------- The following changes since commit b8c3bf0ed2edf2deaedba5f0bf0bb54c76dee71d: Merge tag 'for-net-2022-08-08' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth (2022-08-08 20:59:07 -0700) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD for you to fetch changes up to 580077855a40741cf511766129702d97ff02f4d9: netfilter: nf_tables: fix null deref due to zeroed list head (2022-08-09 20:13:30 +0200) ---------------------------------------------------------------- Christophe JAILLET (1): netfilter: ip6t_LOG: Fix a typo in a comment Florian Westphal (1): netfilter: nf_tables: fix null deref due to zeroed list head Pablo Neira Ayuso (3): netfilter: nf_tables: validate variable length element extension netfilter: nf_tables: upfront validation of data via nft_data_init() netfilter: nf_tables: disallow jump to implicit chain from set element Thadeu Lima de Souza Cascardo (3): netfilter: nf_tables: do not allow SET_ID to refer to another table netfilter: nf_tables: do not allow CHAIN_ID to refer to another table netfilter: nf_tables: do not allow RULE_ID to refer to another chain include/net/netfilter/nf_tables.h | 13 +- include/uapi/linux/netfilter_ipv6/ip6t_LOG.h | 2 +- net/netfilter/nf_tables_api.c | 184 ++++++++++++++++++--------- net/netfilter/nft_bitwise.c | 66 +++++----- net/netfilter/nft_cmp.c | 44 +++---- net/netfilter/nft_dynset.c | 2 +- net/netfilter/nft_immediate.c | 22 +++- net/netfilter/nft_range.c | 27 ++-- 8 files changed, 222 insertions(+), 138 deletions(-)