netfilter: nf_tables: stricter validation of element data

mainline inclusion
from mainline-v5.19-rc6
commit 7e6bc1f6
category: bugfix
bugzilla: 187147, https://gitee.com/src-openeuler/kernel/issues/I5GCQH
CVE: CVE-2022-34918

--------------------------------

Make sure element data type and length do not mismatch the one specified
by the set declaration.

Fixes: 7d740264 ("netfilter: nf_tables: variable sized set element keys / data")
Reported-by: NHugues ANGUELKOV <hanguelkov@randorisec.fr>
Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>

conflict:
	net/netfilter/nf_tables_api.c
Signed-off-by: NLu Wei <luwei32@huawei.com>
Reviewed-by: NWei Yongjun <weiyongjun1@huawei.com>
Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

net/netfilter/nf_tables_api.c

@@ -4434,13 +4434,20 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
 	}
 
 	if (nla[NFTA_SET_ELEM_DATA] != NULL) {
+		u32 dtype;
+
 		err = nft_data_init(ctx, &data, sizeof(data), &d2,
 				    nla[NFTA_SET_ELEM_DATA]);
 		if (err < 0)
 			goto err2;
 
 		err = -EINVAL;
-		if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
+		if (set->dtype == NFT_DATA_VERDICT)
+			dtype = NFT_DATA_VERDICT;
+		else
+			dtype = NFT_DATA_VALUE;
+
+		if (dtype != d2.type || set->dlen != d2.len)
 			goto err3;
 
 		dreg = nft_type_to_reg(set->dtype);