netfilter: nftables: add catch-all set element support

jira VULN-429
subsystem-sync netfilter:nf_tables 4.18.0-511
commit-author Pablo Neira Ayuso <pablo@netfilter.org>
commit aaa3104

upstream-diff We only take two small pieces of code from this patch. The
netfilters folks made a big NO NO by making a commit with a new feature
as well as adding some additional safety checks.  Red Hat took the
additional safety checks but without any of the rest of this rather
large patch.  Confusion reigns, some kernel developers ran around with
their hair on fire for a couple of days, NBD they do that all the time
anyway, but this commit has the necessary bits for backporting the
remaining netfilter bits for this VULN ticket.

    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Greg Rose <g.v.rose@ciq.com>

Author: gvrose8192

net/netfilter/nf_tables_api.c

@@ -4630,7 +4630,8 @@ static int nf_tables_fill_setelem(struct sk_buff *skb,
 	if (nest == NULL)
 		goto nla_put_failure;
 
-	if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
+	if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
+	    nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
 			  NFT_DATA_VALUE, set->klen) < 0)
 		goto nla_put_failure;
 
@@ -5093,7 +5094,8 @@ void *nft_set_elem_init(const struct nft_set *set,
 	ext = nft_set_elem_ext(set, elem);
 	nft_set_ext_init(ext, tmpl);
 
-	memcpy(nft_set_ext_key(ext), key, set->klen);
+	if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY))
+		memcpy(nft_set_ext_key(ext), key, set->klen);
 	if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END))
 		memcpy(nft_set_ext_key_end(ext), key_end, set->klen);
 	if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))