Commit 50ae879d authored by Paolo Abeni's avatar Paolo Abeni
Browse files

Merge tag 'nf-24-10-31' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf 

Pablo Neira Ayuso says:

====================
The following patchset contains Netfilter fixes for net:

1) Remove unused parameters in conntrack_dump_flush.c used by
   selftests, from Liu Jing.

2) Fix possible UaF when removing xtables module via getsockopt()
   interface, from Dong Chenchen.

3) Fix potential crash in nf_send_reset6() reported by syzkaller.
   From Eric Dumazet

4) Validate offset and length before calling skb_checksum()
   in nft_payload, otherwise hitting BUG() is possible.

netfilter pull request 24-10-31

* tag 'nf-24-10-31' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
  netfilter: nft_payload: sanitize offset and length before calling skb_checksum()
  netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6()
  netfilter: Fix use-after-free in get_info()
  selftests: netfilter: remove unused parameter
====================

Link: https://patch.msgid.link/


Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
parents ee802a49 d5953d68

net/ipv6/netfilter/nf_reject_ipv6.c

+7 −8
Original line number Diff line number Diff line
@@ -268,12 +268,12 @@ static int nf_reject6_fill_skb_dst(struct sk_buff *skb_in) 
void nf_send_reset6(struct net *net, struct sock *sk, struct sk_buff *oldskb,

		    int hook)

{

	struct sk_buff *nskb;

	struct tcphdr _otcph;

	const struct tcphdr *otcph;

	unsigned int otcplen, hh_len;

	const struct ipv6hdr *oip6h = ipv6_hdr(oldskb);

	struct dst_entry *dst = NULL;

	const struct tcphdr *otcph;

	struct sk_buff *nskb;

	struct tcphdr _otcph;

	unsigned int otcplen;

	struct flowi6 fl6;



	if ((!(ipv6_addr_type(&oip6h->saddr) & IPV6_ADDR_UNICAST)) ||
@@ -312,9 +312,8 @@ void nf_send_reset6(struct net *net, struct sock *sk, struct sk_buff *oldskb, 
	if (IS_ERR(dst))

		return;



	hh_len = (dst->dev->hard_header_len + 15)&~15;

	nskb = alloc_skb(hh_len + 15 + dst->header_len + sizeof(struct ipv6hdr)

			 + sizeof(struct tcphdr) + dst->trailer_len,

	nskb = alloc_skb(LL_MAX_HEADER + sizeof(struct ipv6hdr) +

			 sizeof(struct tcphdr) + dst->trailer_len,

			 GFP_ATOMIC);



	if (!nskb) {
@@ -327,7 +326,7 @@ void nf_send_reset6(struct net *net, struct sock *sk, struct sk_buff *oldskb, 


	nskb->mark = fl6.flowi6_mark;



	skb_reserve(nskb, hh_len + dst->header_len);

	skb_reserve(nskb, LL_MAX_HEADER);

	nf_reject_ip6hdr_put(nskb, oldskb, IPPROTO_TCP, ip6_dst_hoplimit(dst));

	nf_reject_ip6_tcphdr_put(nskb, oldskb, otcph, otcplen);

net/netfilter/nft_payload.c

+3 −0
Original line number Diff line number Diff line
@@ -904,6 +904,9 @@ static void nft_payload_set_eval(const struct nft_expr *expr, 
	    ((priv->base != NFT_PAYLOAD_TRANSPORT_HEADER &&

	      priv->base != NFT_PAYLOAD_INNER_HEADER) ||

	     skb->ip_summed != CHECKSUM_PARTIAL)) {

		if (offset + priv->len > skb->len)

			goto err;



		fsum = skb_checksum(skb, offset, priv->len, 0);

		tsum = csum_partial(src, priv->len, 0);

net/netfilter/x_tables.c

+1 −1
Original line number Diff line number Diff line
@@ -1269,7 +1269,7 @@ struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af, 


	/* and once again: */

	list_for_each_entry(t, &xt_net->tables[af], list)

		if (strcmp(t->name, name) == 0)

		if (strcmp(t->name, name) == 0 && owner == t->me)

			return t;



	module_put(owner);

tools/testing/selftests/net/netfilter/conntrack_dump_flush.c

+3 −3
Original line number Diff line number Diff line
@@ -98,7 +98,7 @@ static int conntrack_data_insert(struct mnl_socket *sock, struct nlmsghdr *nlh, 
	char buf[MNL_SOCKET_BUFFER_SIZE];

	struct nlmsghdr *rplnlh;

	unsigned int portid;

	int err, ret;

	int ret;



	portid = mnl_socket_get_portid(sock);
@@ -217,7 +217,7 @@ static int conntracK_count_zone(struct mnl_socket *sock, uint16_t zone) 
	struct nfgenmsg *nfh;

	struct nlattr *nest;

	unsigned int portid;

	int err, ret;

	int ret;



	portid = mnl_socket_get_portid(sock);
@@ -264,7 +264,7 @@ static int conntrack_flush_zone(struct mnl_socket *sock, uint16_t zone) 
	struct nfgenmsg *nfh;

	struct nlattr *nest;

	unsigned int portid;

	int err, ret;

	int ret;



	portid = mnl_socket_get_portid(sock);