netfilter: nft_set_pipapo: skip inactive elements during set walk

jira VULN-6811 cve CVE-2023-6817 commit-author Florian Westphal <[email protected]> commit 317eb96 upstream-diff Additional newline because this kernel has not removed the nft_set_elem_expired call yet Otherwise set elements can be deactivated twice which will cause a crash. Reported-by: Xingyuan Mo <[email protected]> Fixes: 3c4287f ("nf_tables: Add set type for arbitrary concatenation of ranges") Signed-off-by: Florian Westphal <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit 317eb96) Signed-off-by: Brett Mastbergen <[email protected]>
ctrliq · Feb 5, 2025 · ad2f602 · ad2f602
1 parent a40f468
commit ad2f602
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
@@ -1981,6 +1981,10 @@ static void nft_pipapo_walk(const struct nft_ctx *ctx, struct nft_set *set,
 			goto cont;
 
 		e = f->mt[r].e;
+
+		if (!nft_set_elem_active(&e->ext, iter->genmask))
+			goto cont;
+
 		if (nft_set_elem_expired(&e->ext))
 			goto cont;