netfilter: nf_tables: bail out on mismatching dynset and set expressions

jira VULN-683
cve CVE-2023-6622
commit-author Pablo Neira Ayuso <[email protected]>
commit 3701cd3

If dynset expressions provided by userspace is larger than the declared
set expressions, then bail out.

Fixes: 48b0ae0 ("netfilter: nftables: netlink support for several set element expressions")
	Reported-by: Xingyuan Mo <[email protected]>
	Signed-off-by: Pablo Neira Ayuso <[email protected]>
(cherry picked from commit 3701cd3)
	Signed-off-by: Greg Rose <[email protected]>

Author: gvrose8192

net/netfilter/nft_dynset.c

@@ -274,10 +274,15 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
 			priv->expr_array[i] = dynset_expr;
 			priv->num_exprs++;
 
-			if (set->num_exprs &&
-			    dynset_expr->ops != set->exprs[i]->ops) {
-				err = -EOPNOTSUPP;
-				goto err_expr_free;
+			if (set->num_exprs) {
+				if (i >= set->num_exprs) {
+					err = -EINVAL;
+					goto err_expr_free;
+				}
+				if (dynset_expr->ops != set->exprs[i]->ops) {
+					err = -EOPNOTSUPP;
+					goto err_expr_free;
+				}
 			}
 			i++;
 		}