netfilter: nf_tables: validate chain type update if available

Parse netlink attribute containing the chain type in this update, to
bail out if this is different from the existing type.

Otherwise, it is possible to define a chain with the same name, hook and
priority but different type, which is silently ignored.

Fixes: 96518518cc41 ("netfilter: add nftables")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 4c3de1a2c52bf745172bd0e064f2f09d8b795feb..5531b13d92b6e2c276e76901e6cbedd16cc5af35 100644 (file)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2261,7 +2261,16 @@ static int nft_chain_parse_hook(struct net *net,
                                return -EOPNOTSUPP;
                }
 
-               type = basechain->type;
+               if (nla[NFTA_CHAIN_TYPE]) {
+                       type = __nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE],
+                                                            family);
+                       if (!type) {
+                               NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
+                               return -ENOENT;
+                       }
+               } else {
+                       type = basechain->type;
+               }
        }
 
        if (!try_module_get(type->owner)) {