From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 2 Mar 2024 17:36:18 +0000 (+0100)
Subject: 6.1-stable patches
X-Git-Tag: v4.19.309~94
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0c7e22cda57c4319d367b3737e9c95ad60de9eed;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	netfilter-nf_tables-disallow-timeout-for-anonymous-sets.patch
---

diff --git a/queue-6.1/netfilter-nf_tables-disallow-timeout-for-anonymous-sets.patch b/queue-6.1/netfilter-nf_tables-disallow-timeout-for-anonymous-sets.patch
new file mode 100644
index 00000000000..fe04bbff0d7
--- /dev/null
+++ b/queue-6.1/netfilter-nf_tables-disallow-timeout-for-anonymous-sets.patch
@@ -0,0 +1,40 @@
+From e26d3009efda338f19016df4175f354a9bd0a4ab Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Fri, 16 Jun 2023 15:22:18 +0200
+Subject: netfilter: nf_tables: disallow timeout for anonymous sets
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit e26d3009efda338f19016df4175f354a9bd0a4ab upstream.
+
+Never used from userspace, disallow these parameters.
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -4752,6 +4752,9 @@ static int nf_tables_newset(struct sk_bu
+ 		if (!(flags & NFT_SET_TIMEOUT))
+ 			return -EINVAL;
+ 
++		if (flags & NFT_SET_ANONYMOUS)
++			return -EOPNOTSUPP;
++
+ 		err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &desc.timeout);
+ 		if (err)
+ 			return err;
+@@ -4760,6 +4763,10 @@ static int nf_tables_newset(struct sk_bu
+ 	if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
+ 		if (!(flags & NFT_SET_TIMEOUT))
+ 			return -EINVAL;
++
++		if (flags & NFT_SET_ANONYMOUS)
++			return -EOPNOTSUPP;
++
+ 		desc.gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
+ 	}
+ 
diff --git a/queue-6.1/series b/queue-6.1/series
index f1da3238005..d93db114d81 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -1,3 +1,4 @@
+netfilter-nf_tables-disallow-timeout-for-anonymous-sets.patch
 drm-meson-fix-unbind-path-if-hdmi-fails-to-bind.patch
 drm-meson-don-t-remove-bridges-which-are-created-by-.patch
 scsi-core-add-struct-for-args-to-execution-functions.patch