mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-12-29 17:25:38 +00:00
netfilter pull request 24-08-28
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEN9lkrMBJgcdVAPub1V2XiooUIOQFAmbPlL4ACgkQ1V2XiooU IOQyXQ//XtyH2hsgDDFEJ2Wx6L8c68zX9UYoDnOEVy+ivZXUIQkbvqI/HoNN+RWA XjTCdeEXTNmhTC+GRPD3YL4HxjRiBSDSVuRWr/TQvrkK709+EM+2nOtbkD58h2+M qv0LWb3q8pGhlOmloMuAo9naKMx2ZuG0a4zGOWwhbrTrpHvgSpb1XrAB4iEz2bSK i9I1Ys/kGlR7HoMAhkj/C729DTl655s+W7T73HNp9ne5Mj07KLL6HLuw3+3XYJhz I32w/zXZ8+x0OxxMk1OrfULBQpYZRldvBGWtdNm3h9hQDtHd3PUcTMNPLu+0NvVF eqlpN02Zn/O/3yqWHwJniSZng/G+yzhw9ToSe/50R35jhY5IdNKMQogYQaH3eW2n 35Ge+SFACWvHnqsKyIERrbQMBBRN9eC/L/Epp/a2IlBGz+ob0xg8yjoBn9VdHN/H lrKJhEFnsan8X9y68MXWgp0OSdxHZkLpmhjm6q5Pv8SpdhnnPc+DQWwl9ihwnoGi veDhlD2h0xcMUzYXNgQ5Pj6oU+pWELIWDLSzE7q8NnODs6ig13jrSFV/j/wTPmWs 8gBy+9YPTw6qUHxVLjl9cDS0W7i5/+OA32z+FU8wH506YFbv58Gq5i1KcORxT780 CAfc1A0wNwNUEbMudWGprf+Vjh/ffWitRCe6wcYL8sSKjCZ2r1g= =baH4 -----END PGP SIGNATURE----- Merge tag 'nf-24-08-28' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for net: Patch #1 sets on NFT_PKTINFO_L4PROTO for UDP packets less than 4 bytes payload from netdev/egress by subtracting skb_network_offset() when validating IPv4 packet length, otherwise 'meta l4proto udp' never matches. Patch #2 subtracts skb_network_offset() when validating IPv6 packet length for netdev/egress. netfilter pull request 24-08-28 * tag 'nf-24-08-28' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: nf_tables_ipv6: consider network offset in netdev/egress validation netfilter: nf_tables: restore IP sanity checks for netdev/egress ==================== Link: https://patch.msgid.link/20240828214708.619261-1-pablo@netfilter.org Signed-off-by: Paolo Abeni <pabeni@redhat.com>
This commit is contained in:
commit
0240bceb0d
@ -19,7 +19,7 @@ static inline void nft_set_pktinfo_ipv4(struct nft_pktinfo *pkt)
|
||||
static inline int __nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt)
|
||||
{
|
||||
struct iphdr *iph, _iph;
|
||||
u32 len, thoff;
|
||||
u32 len, thoff, skb_len;
|
||||
|
||||
iph = skb_header_pointer(pkt->skb, skb_network_offset(pkt->skb),
|
||||
sizeof(*iph), &_iph);
|
||||
@ -30,8 +30,10 @@ static inline int __nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt)
|
||||
return -1;
|
||||
|
||||
len = iph_totlen(pkt->skb, iph);
|
||||
thoff = skb_network_offset(pkt->skb) + (iph->ihl * 4);
|
||||
if (pkt->skb->len < len)
|
||||
thoff = iph->ihl * 4;
|
||||
skb_len = pkt->skb->len - skb_network_offset(pkt->skb);
|
||||
|
||||
if (skb_len < len)
|
||||
return -1;
|
||||
else if (len < thoff)
|
||||
return -1;
|
||||
@ -40,7 +42,7 @@ static inline int __nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt)
|
||||
|
||||
pkt->flags = NFT_PKTINFO_L4PROTO;
|
||||
pkt->tprot = iph->protocol;
|
||||
pkt->thoff = thoff;
|
||||
pkt->thoff = skb_network_offset(pkt->skb) + thoff;
|
||||
pkt->fragoff = ntohs(iph->frag_off) & IP_OFFSET;
|
||||
|
||||
return 0;
|
||||
|
@ -31,8 +31,8 @@ static inline int __nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt)
|
||||
struct ipv6hdr *ip6h, _ip6h;
|
||||
unsigned int thoff = 0;
|
||||
unsigned short frag_off;
|
||||
u32 pkt_len, skb_len;
|
||||
int protohdr;
|
||||
u32 pkt_len;
|
||||
|
||||
ip6h = skb_header_pointer(pkt->skb, skb_network_offset(pkt->skb),
|
||||
sizeof(*ip6h), &_ip6h);
|
||||
@ -43,7 +43,8 @@ static inline int __nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt)
|
||||
return -1;
|
||||
|
||||
pkt_len = ntohs(ip6h->payload_len);
|
||||
if (pkt_len + sizeof(*ip6h) > pkt->skb->len)
|
||||
skb_len = pkt->skb->len - skb_network_offset(pkt->skb);
|
||||
if (pkt_len + sizeof(*ip6h) > skb_len)
|
||||
return -1;
|
||||
|
||||
protohdr = ipv6_find_hdr(pkt->skb, &thoff, -1, &frag_off, &flags);
|
||||
|
Loading…
Reference in New Issue
Block a user