On Thu, Aug 31, 2023 at 06:04:37PM -0700, joao@xxxxxxxxxxxxxxxxxx wrote: > From: Joao Moreira <joao.moreira@xxxxxxxxx> > > In nft_flow_rule_create function, num_actions is a signed integer. Yet, > it is processed within a loop which increments its value. To prevent an > overflow from occurring, check if num_actions is not only equal to 0, > but also not negative. > > After checking with maintainers, it was mentioned that front-end will > cap the num_actions vlaue and that it is not possible to reach such > condition for an overflow. Yet, for correctness, it is still better to > fix this. > > Signed-off-by: Joao Moreira <joao.moreira@xxxxxxxxx> > --- > net/netfilter/nf_tables_offload.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c > index 12ab78fa5d84..20dbc95de895 100644 > --- a/net/netfilter/nf_tables_offload.c > +++ b/net/netfilter/nf_tables_offload.c > @@ -102,7 +102,7 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net, > expr = nft_expr_next(expr); > } > > - if (num_actions == 0) > + if (num_actions <= 0) > return ERR_PTR(-EOPNOTSUPP); Better turn num_actions into unsigned int I'd suggest. Next hypothetical problem would be an overflow in the number of actions, you could check for UINT_MAX if you like here to report ENOMEM. Thanks. > flow = nft_flow_rule_alloc(num_actions); > -- > 2.41.0 >
