Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 05f66316 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso Committed by Greg Kroah-Hartman
Browse files

netfilter: nf_tables: reject expiration higher than timeout 



[ Upstream commit c0f38a8c60174368aed1d0f9965d733195f15033 ]

Report ERANGE to userspace if user specifies an expiration larger than
the timeout.

Fixes: 8e1102d5 ("netfilter: nf_tables: support timeouts larger than 23 days")
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent bd6b2e3a

net/netfilter/nf_tables_api.c

+3 −0
Original line number Diff line number Diff line
@@ -4894,6 +4894,9 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, 
					    &expiration);

		if (err)

			return err;



		if (expiration > timeout)

			return -ERANGE;

	}



	err = nft_setelem_parse_key(ctx, set, &elem.key.val,