netfilter: nf_tables: reject unsupported chain flags

Bail out if userspace sends unsupported chain flags. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2020-07-04 02:51:28 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2020-07-04 02:51:28 +0200
commit: c1f79a2eefdcc0aef5d7a911c27a3f75f1936ecd (patch)
tree: b734a2cd2ed9ee3f00f7a7921ff49425b42e2a71 /net/netfilter
parent: d0e2c7de92c7f2b3d355ad76b0bb9fc43d1beb87 (diff)
download: linux-c1f79a2eefdcc0aef5d7a911c27a3f75f1936ecd.tar.gz
linux-c1f79a2eefdcc0aef5d7a911c27a3f75f1936ecd.tar.bz2
linux-c1f79a2eefdcc0aef5d7a911c27a3f75f1936ecd.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index b8a970dad213..f96785586f64 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2285,6 +2285,9 @@ static int nf_tables_newchain(struct net *net, struct sock *nlsk,
 	else if (chain)
 		flags = chain->flags;
 
+	if (flags & ~NFT_CHAIN_FLAGS)
+		return -EOPNOTSUPP;
+
 	nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
 
 	if (chain != NULL) {
author	Pablo Neira Ayuso <pablo@netfilter.org>	2020-07-04 02:51:28 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2020-07-04 02:51:28 +0200
commit	c1f79a2eefdcc0aef5d7a911c27a3f75f1936ecd (patch)
tree	b734a2cd2ed9ee3f00f7a7921ff49425b42e2a71 /net/netfilter
parent	d0e2c7de92c7f2b3d355ad76b0bb9fc43d1beb87 (diff)
download	linux-c1f79a2eefdcc0aef5d7a911c27a3f75f1936ecd.tar.gz linux-c1f79a2eefdcc0aef5d7a911c27a3f75f1936ecd.tar.bz2 linux-c1f79a2eefdcc0aef5d7a911c27a3f75f1936ecd.zip