netfilter: nf_tables: disallow timeout for anonymous sets

jira VULN-429
subsystem-sync netfilter:nf_tables 4.18.0-511
commit-author Pablo Neira Ayuso <[email protected]>
commit e26d300

Never used from userspace, disallow these parameters.

    Signed-off-by: Pablo Neira Ayuso <[email protected]>
    (cherry picked from commit e26d300)
    Signed-off-by: Greg Rose <[email protected]>

Author: gvrose8192

net/netfilter/nf_tables_api.c

@@ -4164,6 +4164,10 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk,
 	if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
 		if (!(flags & NFT_SET_TIMEOUT))
 			return -EINVAL;
+
+		if (flags & NFT_SET_ANONYMOUS)
+			return -EOPNOTSUPP;
+
 		gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
 	}
 
@@ -5342,6 +5346,10 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
 	if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
 		if (!(set->flags & NFT_SET_TIMEOUT))
 			return -EINVAL;
+
+		if (flags & NFT_SET_ANONYMOUS)
+			return -EOPNOTSUPP;
+
 		err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
 					    &timeout);
 		if (err)