netfilter: nf_tables: unbind non-anonymous set if rule construction fails

PlaidCat · PlaidCat · commit e352fe4237fa · 2024-09-13T11:43:33.000-04:00
jira LE-1907 cve CVE-2023-3390 Rebuild_History Non-Buildable kernel-rt-5.14.0-284.30.1.rt14.315.el9_2 commit-author Pablo Neira Ayuso <pablo@netfilter.org> commit 3e70489 Otherwise a dangling reference to a rule object that is gone remains in the set binding list. Fixes: 26b5a57 ("netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit 3e70489) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
@@ -4921,6 +4921,8 @@ void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
 		nft_set_trans_unbind(ctx, set);
 		if (nft_set_is_anonymous(set))
 			nft_deactivate_next(ctx->net, set);
+		else
+			list_del_rcu(&binding->list);
 
 		set->use--;
 		break;
