netfilter: nft_ct: fix l3num expectations with inet pseudo family

CVE: CVE-2024-26673
JIRA: https://issues.redhat.com/browse/RHEL-31345
Upstream Status: commit 9999378

commit 9999378
Author: Florian Westphal <fw@strlen.de>
Date:   Fri Mar 1 13:38:15 2024 +0100

    netfilter: nft_ct: fix l3num expectations with inet pseudo family

    Following is rejected but should be allowed:

    table inet t {
            ct expectation exp1 {
                    [..]
                    l3proto ip

    Valid combos are:
    table ip t, l3proto ip
    table ip6 t, l3proto ip6
    table inet t, l3proto ip OR l3proto ip6

    Disallow inet pseudeo family, the l3num must be a on-wire protocol known
    to conntrack.

    Retain NFPROTO_INET case to make it clear its rejected
    intentionally rather as oversight.

    Fixes: 8059918 ("netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations")
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Signed-off-by: Phil Sutter <psutter@redhat.com>

Author: SirPhuttel

net/netfilter/nft_ct.c

@@ -1193,14 +1193,13 @@ static int nft_ct_expect_obj_init(const struct nft_ctx *ctx,
 	switch (priv->l3num) {
 	case NFPROTO_IPV4:
 	case NFPROTO_IPV6:
-		if (priv->l3num != ctx->family)
-			return -EINVAL;
+		if (priv->l3num == ctx->family || ctx->family == NFPROTO_INET)
+			break;
 
-		fallthrough;
-	case NFPROTO_INET:
-		break;
+		return -EINVAL;
+	case NFPROTO_INET: /* tuple.src.l3num supports NFPROTO_IPV4/6 only */
 	default:
-		return -EOPNOTSUPP;
+		return -EAFNOSUPPORT;
 	}
 
 	priv->l4proto = nla_get_u8(tb[NFTA_CT_EXPECT_L4PROTO]);