netfilter: ctnetlink: use helper function to calculate expect ID

ummakynes · ummakynes · commit 782161895eb4 · 2024-07-17T19:00:47.000+02:00
Delete expectation path is missing a call to the nf_expect_get_id() helper function to calculate the expectation ID, otherwise LSB of the expectation object address is leaked to userspace. Fixes: 3c79107 ("netfilter: ctnetlink: don't use conntrack/expect object addresses as id") Reported-by: zdi-disclosures@trendmicro.com Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
@@ -3420,7 +3420,8 @@ static int ctnetlink_del_expect(struct sk_buff *skb,
 
 		if (cda[CTA_EXPECT_ID]) {
 			__be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
-			if (ntohl(id) != (u32)(unsigned long)exp) {
+
+			if (id != nf_expect_get_id(exp)) {
 				nf_ct_expect_put(exp);
 				return -ENOENT;
 			}

Original file line number	Diff line number	Diff line change
`@@ -3420,7 +3420,8 @@ static int ctnetlink_del_expect(struct sk_buff *skb,`
`3420`	`3420`
`3421`	`3421`	`if (cda[CTA_EXPECT_ID]) {`
`3422`	`3422`	`__be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);`
`3423`		`- if (ntohl(id) != (u32)(unsigned long)exp) {`
	`3423`	`+`
	`3424`	`+ if (id != nf_expect_get_id(exp)) {`
`3424`	`3425`	`nf_ct_expect_put(exp);`
`3425`	`3426`	`return -ENOENT;`
`3426`	`3427`	`}`