Description: netfilter: ctnetlink: add a range check for l3/l4 protonum
References:
 https://twitter.com/grsecurity/status/1303646421158109185
 https://patchwork.ozlabs.org/project/netfilter-devel/patch/20200908150947.12623-2-pablo@netfilter.org/
Notes:
 bwh> Introduced in 2.6.17 by commit c1d10adb4a52 "[NETFILTER]: Add
 bwh> ctnetlink port for nf_conntrack".
Bugs:
upstream: released (5.9-rc7) [1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6]
4.19-upstream-stable: released (4.19.150) [289fe546ea16c2dcb57c5198c5a7b7387604530e]
4.9-upstream-stable: needed
sid: pending (5.8.14-1)
4.19-buster-security: needed
4.9-stretch-security: needed