netfilter: nf_tables: Add null check for nla_nest_start_noflag() in nft_dump_basechain_hook()

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2189550
Upstream Status: commit bd05876

Conflicts: net/netfilter/nf_tables_api.c

Context only, CS9 lacks
b9703ed ("netfilter: nf_tables: support for adding new devices to an existing netdev chain").

commit bd05876
Author: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
Date:   Wed May 24 12:25:27 2023 +0000

    netfilter: nf_tables: Add null check for nla_nest_start_noflag() in nft_dump_basechain_hook()

    The nla_nest_start_noflag() function may fail and return NULL;
    the return value needs to be checked.

    Found by InfoTeCS on behalf of Linux Verification Center
    (linuxtesting.org) with SVACE.

    Fixes: d54725c ("netfilter: nf_tables: support for multiple devices per netdev hook")
    Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Signed-off-by: Florian Westphal <fwestpha@redhat.com>

Author: fw-strlen

net/netfilter/nf_tables_api.c

@@ -1509,6 +1509,10 @@ static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
 
 	if (nft_base_chain_netdev(family, ops->hooknum)) {
 		nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
+
+		if (!nest_devs)
+			goto nla_put_failure;
+
 		list_for_each_entry(hook, &basechain->hook_list, list) {
 			if (!first)
 				first = hook;