netfilter: nft_nat: insufficient attribute validation

We have to validate that we at least get an NFTA_NAT_REG_ADDR_MIN or
NFTA_NFT_REG_PROTO_MIN attribute. Reject the configuration if none
of them are present.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
index 0f0af6e86fb8a5ae2881ffaa91054cebfa8d8549..5078f1f1c569df93d466e2c5bd8c3b85f9277dd0 100644 (file)
--- a/net/netfilter/nft_nat.c
+++ b/net/netfilter/nft_nat.c
@@ -99,7 +99,9 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
        if (err < 0)
                return err;
 
-       if (tb[NFTA_NAT_TYPE] == NULL)
+       if (tb[NFTA_NAT_TYPE] == NULL ||
+           (tb[NFTA_NAT_REG_ADDR_MIN] == NULL &&
+            tb[NFTA_NAT_REG_PROTO_MIN] == NULL))
                return -EINVAL;
 
        switch (ntohl(nla_get_be32(tb[NFTA_NAT_TYPE]))) {