netfilter: flowtable: check for maximum number of encapsulations in bridge vlan

[ Upstream commit 634f3853cc98d73bdec8918010ee29b06981583e ]

Add a sanity check to skip path discovery if the maximum number of
encapsulation is reached. While at it, check for underflow too.

Fixes: 26267bf9bb57 ("netfilter: flowtable: bridge vlan hardware offload and switchdev")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
index 41d04fa12f67dd662474ac10acad7f7bf4521d19..e1d7231b87748c1c88a9dc2f2d863000041c3d12 100644 (file)
--- a/net/netfilter/nft_flow_offload.c
+++ b/net/netfilter/nft_flow_offload.c
@@ -140,12 +140,19 @@ static void nft_dev_path_info(const struct net_device_path_stack *stack,
                                info->ingress_vlans |= BIT(info->num_encaps - 1);
                                break;
                        case DEV_PATH_BR_VLAN_TAG:
+                               if (info->num_encaps >= NF_FLOW_TABLE_ENCAP_MAX) {
+                                       info->indev = NULL;
+                                       break;
+                               }
                                info->encap[info->num_encaps].id = path->bridge.vlan_id;
                                info->encap[info->num_encaps].proto = path->bridge.vlan_proto;
                                info->num_encaps++;
                                break;
                        case DEV_PATH_BR_VLAN_UNTAG:
-                               info->num_encaps--;
+                               if (WARN_ON_ONCE(info->num_encaps-- == 0)) {
+                                       info->indev = NULL;
+                                       break;
+                               }
                                break;
                        case DEV_PATH_BR_VLAN_KEEP:
                                break;