[SRU Bionic 1/1] netfilter: nf_tables: stricter validation of element data

[Thadeu Lima de Souza Cascardo]

From: Pablo Neira Ayuso <pablo at netfilter.org>

Make sure element data type and length do not mismatch the one specified
by the set declaration.

Fixes: 7d7402642eaf ("netfilter: nf_tables: variable sized set element keys / data")
Reported-by: Hugues ANGUELKOV <hanguelkov at randorisec.fr>
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
CVE-2022-34918
(backported from commit 7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6)
[cengizcan: target function does not exist until 5.8 so follow history
backwards, find previous place of length check and adapt the change for
5.4]
Signed-off-by: Cengiz Can <cengiz.can at canonical.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
---
 net/netfilter/nf_tables_api.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 84ed8711bd44..072e8fe256c9 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3963,6 +3963,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
 	struct nft_data data;
 	enum nft_registers dreg;
 	struct nft_trans *trans;
+	u32 dtype;
 	u32 flags = 0;
 	u64 timeout;
 	u8 ulen;
@@ -4048,7 +4049,13 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
 			goto err2;
 
 		err = -EINVAL;
-		if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
+
+		if (set->dtype == NFT_DATA_VERDICT)
+			dtype = NFT_DATA_VERDICT;
+		else
+			dtype = NFT_DATA_VALUE;
+
+		if (dtype != d2.type || set->dlen != d2.len)
 			goto err3;
 
 		dreg = nft_type_to_reg(set->dtype);
-- 
2.34.1