netfilter: ctnetlink: check tuple and mask in expectations created via nfqueue

Ensure the expectation tuple and mask attributes are present in netlink
message, otherwise null-ptr-deref is possible.

Fixes: bd0779370588 ("netfilter: nfnetlink_queue: allow to attach expectations to conntracks")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index d7209d1241114581663dfbfa3fcba254db90a617..befa7e83ee49f53a8a5b9c2d32d020c61ca66ae5 100644 (file)
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -2872,6 +2872,9 @@ ctnetlink_glue_attach_expect(const struct nlattr *attr, struct nf_conn *ct,
        if (err < 0)
                return err;
 
+       if (!cda[CTA_EXPECT_TUPLE] || !cda[CTA_EXPECT_MASK])
+               return -EINVAL;
+
        err = ctnetlink_glue_exp_parse((const struct nlattr * const *)cda,
                                       ct, &tuple, &mask);
        if (err < 0)