diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-08-22 12:06:39 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2022-08-31 18:15:19 +0300 |
| commit | c08a104a8bce832f6e7a4e8d9ac091777b9982ea (patch) | |
| tree | cc4a078e51f73feee17725dba26d2a02939624fe /net/netfilter | |
| parent | 6301a73bd83d94b9b3eab8581adb04e40fb5f079 (diff) | |
| download | linux-c08a104a8bce832f6e7a4e8d9ac091777b9982ea.tar.xz | |
netfilter: nf_tables: disallow binding to already bound chain
[ Upstream commit e02f0d3970404bfea385b6edb86f2d936db0ea2b ]
Update nft_data_init() to report EINVAL if chain is already bound.
Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING")
Reported-by: Gwangun Jung <exsociety@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'net/netfilter')
| -rw-r--r-- | net/netfilter/nf_tables_api.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index b36728cfc5d8..1b039476e4d6 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -8678,6 +8678,8 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, return PTR_ERR(chain); if (nft_is_base_chain(chain)) return -EOPNOTSUPP; + if (nft_chain_is_bound(chain)) + return -EINVAL; if (desc->flags & NFT_DATA_DESC_SETELEM && chain->flags & NFT_CHAIN_BINDING) return -EINVAL; |