[NETFILTER]: ctnetlink: check for status attribute existence on conntrack creation

Check that status flags are available in the netlink message received
to create a new conntrack.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>

2 files changed, 10 insertions, 6 deletions

diff --git a/net/ipv4/netfilter/ip_conntrack_netlink.c b/net/ipv4/netfilter/ip_conntrack_netlink.c
index 3d277aa869dd..d5d2efddba57 100644
--- a/net/ipv4/netfilter/ip_conntrack_netlink.c
+++ b/net/ipv4/netfilter/ip_conntrack_netlink.c
@@ -945,9 +945,11 @@ ctnetlink_create_conntrack(struct nfattr *cda[],
         ct->timeout.expires = jiffies + ct->timeout.expires * HZ;
         ct->status |= IPS_CONFIRMED;
 
-        err = ctnetlink_change_status(ct, cda);
-        if (err < 0)
-                goto err;
+        if (cda[CTA_STATUS-1]) {
+                err = ctnetlink_change_status(ct, cda);
+                if (err < 0)
+                        goto err;
+        }
 
         if (cda[CTA_PROTOINFO-1]) {
                 err = ctnetlink_change_protoinfo(ct, cda);
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 7357b8f47acd..ba77183be2f3 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -963,9 +963,11 @@ ctnetlink_create_conntrack(struct nfattr *cda[],
         ct->timeout.expires = jiffies + ct->timeout.expires * HZ;
         ct->status |= IPS_CONFIRMED;
 
-        err = ctnetlink_change_status(ct, cda);
-        if (err < 0)
-                goto err;
+        if (cda[CTA_STATUS-1]) {
+                err = ctnetlink_change_status(ct, cda);
+                if (err < 0)
+                        goto err;
+        }
 
         if (cda[CTA_PROTOINFO-1]) {
                 err = ctnetlink_change_protoinfo(ct, cda);