--- /dev/null
+From e26d3009efda338f19016df4175f354a9bd0a4ab Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Fri, 16 Jun 2023 15:22:18 +0200
+Subject: netfilter: nf_tables: disallow timeout for anonymous sets
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit e26d3009efda338f19016df4175f354a9bd0a4ab upstream.
+
+Never used from userspace, disallow these parameters.
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -4682,6 +4682,9 @@ static int nf_tables_newset(struct sk_bu
+ if (!(flags & NFT_SET_TIMEOUT))
+ return -EINVAL;
+
++ if (flags & NFT_SET_ANONYMOUS)
++ return -EOPNOTSUPP;
++
+ err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &desc.timeout);
+ if (err)
+ return err;
+@@ -4690,6 +4693,10 @@ static int nf_tables_newset(struct sk_bu
+ if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
+ if (!(flags & NFT_SET_TIMEOUT))
+ return -EINVAL;
++
++ if (flags & NFT_SET_ANONYMOUS)
++ return -EOPNOTSUPP;
++
+ desc.gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
