From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 7 May 2026 21:57:55 +0000 (+0200)
Subject: netfilter: ctnetlink: check tuple and mask in expectations created via nfqueue
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d8ef54c83ad70b81735b506431affadd2f720aa1;p=thirdparty%2Fkernel%2Flinux.git

netfilter: ctnetlink: check tuple and mask in expectations created via nfqueue

Ensure the expectation tuple and mask attributes are present in netlink
message, otherwise null-ptr-deref is possible.

Fixes: bd0779370588 ("netfilter: nfnetlink_queue: allow to attach expectations to conntracks")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index d7209d124111..befa7e83ee49 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -2872,6 +2872,9 @@ ctnetlink_glue_attach_expect(const struct nlattr *attr, struct nf_conn *ct,
 	if (err < 0)
 		return err;
 
+	if (!cda[CTA_EXPECT_TUPLE] || !cda[CTA_EXPECT_MASK])
+		return -EINVAL;
+
 	err = ctnetlink_glue_exp_parse((const struct nlattr * const *)cda,
 				       ct, &tuple, &mask);
 	if (err < 0)