Skip to content

Commit a9e8503

Browse files
Florian Westphalummakynes
Florian Westphal
authored and
ummakynes
committed
netfilter: nft_payload: don't allow th access for fragments
Loads relative to ->thoff naturally expect that this points to the transport header, but this is only true if pkt->fragoff == 0. This has little effect for rulesets with connection tracking/nat because these enable ip defra. For other rulesets this prevents false matches. Fixes: 9651851 ("netfilter: add nftables") Signed-off-by: Florian Westphal <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]>
1 parent 77b3371 commit a9e8503

File tree

2 files changed

+6
-5
lines changed

2 files changed

+6
-5
lines changed

net/netfilter/nft_exthdr.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -167,7 +167,7 @@ nft_tcp_header_pointer(const struct nft_pktinfo *pkt,
167167
{
168168
struct tcphdr *tcph;
169169

170-
if (pkt->tprot != IPPROTO_TCP)
170+
if (pkt->tprot != IPPROTO_TCP || pkt->fragoff)
171171
return NULL;
172172

173173
tcph = skb_header_pointer(pkt->skb, nft_thoff(pkt), sizeof(*tcph), buffer);

net/netfilter/nft_payload.c

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -83,7 +83,7 @@ static int __nft_payload_inner_offset(struct nft_pktinfo *pkt)
8383
{
8484
unsigned int thoff = nft_thoff(pkt);
8585

86-
if (!(pkt->flags & NFT_PKTINFO_L4PROTO))
86+
if (!(pkt->flags & NFT_PKTINFO_L4PROTO) || pkt->fragoff)
8787
return -1;
8888

8989
switch (pkt->tprot) {
@@ -147,7 +147,7 @@ void nft_payload_eval(const struct nft_expr *expr,
147147
offset = skb_network_offset(skb);
148148
break;
149149
case NFT_PAYLOAD_TRANSPORT_HEADER:
150-
if (!(pkt->flags & NFT_PKTINFO_L4PROTO))
150+
if (!(pkt->flags & NFT_PKTINFO_L4PROTO) || pkt->fragoff)
151151
goto err;
152152
offset = nft_thoff(pkt);
153153
break;
@@ -688,7 +688,7 @@ static void nft_payload_set_eval(const struct nft_expr *expr,
688688
offset = skb_network_offset(skb);
689689
break;
690690
case NFT_PAYLOAD_TRANSPORT_HEADER:
691-
if (!(pkt->flags & NFT_PKTINFO_L4PROTO))
691+
if (!(pkt->flags & NFT_PKTINFO_L4PROTO) || pkt->fragoff)
692692
goto err;
693693
offset = nft_thoff(pkt);
694694
break;
@@ -728,7 +728,8 @@ static void nft_payload_set_eval(const struct nft_expr *expr,
728728
if (priv->csum_type == NFT_PAYLOAD_CSUM_SCTP &&
729729
pkt->tprot == IPPROTO_SCTP &&
730730
skb->ip_summed != CHECKSUM_PARTIAL) {
731-
if (nft_payload_csum_sctp(skb, nft_thoff(pkt)))
731+
if (pkt->fragoff == 0 &&
732+
nft_payload_csum_sctp(skb, nft_thoff(pkt)))
732733
goto err;
733734
}
734735

0 commit comments

Comments
 (0)