Linux Kernel Netfilter Open Interval Overlap Validation Vulnerability

A vulnerability in the Linux kernel's netfilter component, specifically within the nft_set_rbtree functionality, has been addressed. The issue arose from the handling of open intervals, which lack an end element, making validation challenging. This vulnerability affected several Linux kernel versions. The problem was resolved by introducing a new flag in the nft_set_elem structure to indicate the last element in an add or delete command. This flag allows for proper validation of open intervals by checking for overlaps with existing intervals. The patch also includes improvements for deleting open intervals without causing errors when adding new elements.

Impact

The vulnerability could lead to improper validation of interval overlaps, potentially allowing for incorrect handling of set elements in netfilter, which could be exploited to disrupt normal operations or introduce errors in packet filtering rules.