netfilter: ctnetlink: check tuple and mask in expectations created via nfqueue

Ensure the expectation tuple and mask attributes are present in netlink message, otherwise null-ptr-deref is possible. Fixes: bd0779370588 ("netfilter: nfnetlink_queue: allow to attach expectations to conntracks") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2026-05-08 00:57:55 +0300
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2026-05-08 02:30:17 +0300
commit: d8ef54c83ad70b81735b506431affadd2f720aa1 (patch)
tree: 07fdb027fb7c86d737f48b2d0c47608482188112
parent: dcb0f9aefdd604d36710fda53c25bd7cf4a3e37a (diff)
download: linux-d8ef54c83ad70b81735b506431affadd2f720aa1.tar.xz
1 files changed, 3 insertions, 0 deletions
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index d7209d124111..befa7e83ee49 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -2872,6 +2872,9 @@ ctnetlink_glue_attach_expect(const struct nlattr *attr, struct nf_conn *ct,
 	if (err < 0)
 		return err;
 
+	if (!cda[CTA_EXPECT_TUPLE] || !cda[CTA_EXPECT_MASK])
+		return -EINVAL;
+
 	err = ctnetlink_glue_exp_parse((const struct nlattr * const *)cda,
 				       ct, &tuple, &mask);
 	if (err < 0)
author	Pablo Neira Ayuso <pablo@netfilter.org>	2026-05-08 00:57:55 +0300
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2026-05-08 02:30:17 +0300
commit	d8ef54c83ad70b81735b506431affadd2f720aa1 (patch)
tree	07fdb027fb7c86d737f48b2d0c47608482188112
parent	dcb0f9aefdd604d36710fda53c25bd7cf4a3e37a (diff)
download	linux-d8ef54c83ad70b81735b506431affadd2f720aa1.tar.xz