netfilter: nf_tables: check if same extensions are set when adding elements

If no NLM_F_EXCL is set and the element already exists in the set, make sure that both elements have the same extensions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2017-05-01 06:58:50 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2017-05-03 04:58:00 -0400
commit: 9744a6fcefcb4d56501d69adb04c24559d353cad (patch)
tree: 679f52405bc4a0003dc105908b207a31dfd211ff
parent: 1519fccb34371594f6a629bfad69605bc6f9dde3 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 434c739dfeca..11a96e8dd3cd 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3749,6 +3749,11 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
        err = set->ops->insert(ctx->net, set, &elem, &ext2);
        if (err) {
                if (err == -EEXIST) {
+                        if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
+                            nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
+                            nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
+                            nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
+                                return -EBUSY;
                        if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
                             nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
                             memcmp(nft_set_ext_data(ext),
author	Pablo Neira Ayuso <pablo@netfilter.org>	2017-05-01 06:58:50 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2017-05-03 04:58:00 -0400
commit	9744a6fcefcb4d56501d69adb04c24559d353cad (patch)
tree	679f52405bc4a0003dc105908b207a31dfd211ff
parent	1519fccb34371594f6a629bfad69605bc6f9dde3 (diff)