netfilter: nf_tables: disallow timeout for anonymous sets

commit e26d3009efda338f19016df4175f354a9bd0a4ab upstream.

Never used from userspace, disallow these parameters.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[Keerthana: code surrounding the patch is different
because nft_set_desc is not present in v4.19-v5.10]
Signed-off-by: Keerthana K <keerthana.kalyanasundaram@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 0ba2a46a5370fb0140bf445c562650a0176f4a50..3c191c7df9883e2d2a53bcf848e1a61442aa3c7e 100644 (file)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4457,6 +4457,9 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk,
                if (!(flags & NFT_SET_TIMEOUT))
                        return -EINVAL;
 
+               if (flags & NFT_SET_ANONYMOUS)
+                       return -EOPNOTSUPP;
+
                err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
                if (err)
                        return err;
@@ -4465,6 +4468,10 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk,
        if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
                if (!(flags & NFT_SET_TIMEOUT))
                        return -EINVAL;
+
+               if (flags & NFT_SET_ANONYMOUS)
+                       return -EOPNOTSUPP;
+
                gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
        }