netfilter: nft_nat: insufficient attribute validation

We have to validate that we at least get an NFTA_NAT_REG_ADDR_MIN or NFTA_NFT_REG_PROTO_MIN attribute. Reject the configuration if none of them are present. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2014-10-16 00:16:57 +02:00 · 2014-10-16 00:16:57 +02:00 · 5c819a3975
parent f3f5ddeddd
commit 5c819a3975
1 changed files with 3 additions and 1 deletions
--- a/net/netfilter/nft_nat.c
+++ b/net/netfilter/nft_nat.c
@ -99,7 +99,9 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
 	if (err < 0)
 		return err;

-	if (tb[NFTA_NAT_TYPE] == NULL)
+	if (tb[NFTA_NAT_TYPE] == NULL ||
+	    (tb[NFTA_NAT_REG_ADDR_MIN] == NULL &&
+	     tb[NFTA_NAT_REG_PROTO_MIN] == NULL))
 		return -EINVAL;

 	switch (ntohl(nla_get_be32(tb[NFTA_NAT_TYPE]))) {