diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-10-15 18:16:57 -0400 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-10-18 08:16:11 -0400 |
| commit | 5c819a39753d6a3ae9c0092236f59730a369b619 (patch) | |
| tree | c980ff48d390d3bd6199d786248afe0b24372d3d /net/netfilter | |
| parent | f3f5ddeddd6aeadcef523d55ea9288e3d5c1cbc3 (diff) | |
netfilter: nft_nat: insufficient attribute validation
We have to validate that we at least get an NFTA_NAT_REG_ADDR_MIN or
NFTA_NFT_REG_PROTO_MIN attribute. Reject the configuration if none
of them are present.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter')
| -rw-r--r-- | net/netfilter/nft_nat.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c index 0f0af6e86fb8..5078f1f1c569 100644 --- a/net/netfilter/nft_nat.c +++ b/net/netfilter/nft_nat.c | |||
| @@ -99,7 +99,9 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr, | |||
| 99 | if (err < 0) | 99 | if (err < 0) |
| 100 | return err; | 100 | return err; |
| 101 | 101 | ||
| 102 | if (tb[NFTA_NAT_TYPE] == NULL) | 102 | if (tb[NFTA_NAT_TYPE] == NULL || |
| 103 | (tb[NFTA_NAT_REG_ADDR_MIN] == NULL && | ||
| 104 | tb[NFTA_NAT_REG_PROTO_MIN] == NULL)) | ||
| 103 | return -EINVAL; | 105 | return -EINVAL; |
| 104 | 106 | ||
| 105 | switch (ntohl(nla_get_be32(tb[NFTA_NAT_TYPE]))) { | 107 | switch (ntohl(nla_get_be32(tb[NFTA_NAT_TYPE]))) { |