netfilter: nft_set_pipapo: skip inactive elements during set walk

bmastbergen · bmastbergen · commit ad25f6dd0083 · 2025-03-28T11:15:48.000-04:00
jira VULN-6807 cve CVE-2023-6817 commit-author Florian Westphal <fw@strlen.de> commit 317eb96 upstream-diff Additional newline because this kernel has not removed the nft_set_elem_expired call yet Otherwise set elements can be deactivated twice which will cause a crash. Reported-by: Xingyuan Mo <hdthky0@gmail.com> Fixes: 3c4287f ("nf_tables: Add set type for arbitrary concatenation of ranges") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit 317eb96) Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
@@ -1870,6 +1870,10 @@ static void nft_pipapo_walk(const struct nft_ctx *ctx, struct nft_set *set,
 			goto cont;
 
 		e = f->mt[r].e;
+
+		if (!nft_set_elem_active(&e->ext, iter->genmask))
+			goto cont;
+
 		if (nft_set_elem_expired(&e->ext))
 			goto cont;
 
