netfilter: flowtable: check for maximum number of encapsulations in bridge vlan

Add a sanity check to skip path discovery if the maximum number of
encapsulation is reached. While at it, check for underflow too.

Fixes: 26267bf9bb57 ("netfilter: flowtable: bridge vlan hardware offload and switchdev")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
index 14dd1c0698c3c9ec2241b358deb80976a8aa4a13..e95e5f59a3d6a31d738946e2eccb20c6ec9099b6 100644 (file)
--- a/net/netfilter/nft_flow_offload.c
+++ b/net/netfilter/nft_flow_offload.c
@@ -141,12 +141,19 @@ static void nft_dev_path_info(const struct net_device_path_stack *stack,
                                info->ingress_vlans |= BIT(info->num_encaps - 1);
                                break;
                        case DEV_PATH_BR_VLAN_TAG:
+                               if (info->num_encaps >= NF_FLOW_TABLE_ENCAP_MAX) {
+                                       info->indev = NULL;
+                                       break;
+                               }
                                info->encap[info->num_encaps].id = path->bridge.vlan_id;
                                info->encap[info->num_encaps].proto = path->bridge.vlan_proto;
                                info->num_encaps++;
                                break;
                        case DEV_PATH_BR_VLAN_UNTAG:
-                               info->num_encaps--;
+                               if (WARN_ON_ONCE(info->num_encaps-- == 0)) {
+                                       info->indev = NULL;
+                                       break;
+                               }
                                break;
                        case DEV_PATH_BR_VLAN_KEEP:
                                break;