Commit f900e1d7 authored Mar 10, 2026 by Florian Westphal

netfilter: conntrack: add missing netlink policy validations



Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink.

These attributes are used by the kernel without any validation.
Extend the netlink policies accordingly.

Quoting the reporter:
  nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE
  value directly to ct->proto.sctp.state without checking that it is
  within the valid range. [..]

  and: ... with exp->dir = 100, the access at
  ct->master->tuplehash[100] reads 5600 bytes past the start of a
  320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by
  UBSAN.

Fixes: 076a0ca0 ("netfilter: ctnetlink: add NAT support for expectations")
Fixes: a258860e ("netfilter: ctnetlink: add full support for SCTP to ctnetlink")
Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>

parent 5cb81eed

net/netfilter/nf_conntrack_netlink.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -3489,7 +3489,7 @@ ctnetlink_change_expect(struct nf_conntrack_expect *x,

		#if IS_ENABLED(CONFIG_NF_NAT)
		static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = {
		[CTA_EXPECT_NAT_DIR] = { .type = NLA_U32 },
		[CTA_EXPECT_NAT_DIR] = NLA_POLICY_MAX(NLA_BE32, IP_CT_DIR_REPLY),
		[CTA_EXPECT_NAT_TUPLE] = { .type = NLA_NESTED },
		};
		#endif

net/netfilter/nf_conntrack_proto_sctp.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -582,7 +582,8 @@ static int sctp_to_nlattr(struct sk_buff skb, struct nlattr nla,
		}

		static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
		[CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 },
		[CTA_PROTOINFO_SCTP_STATE] = NLA_POLICY_MAX(NLA_U8,
		SCTP_CONNTRACK_HEARTBEAT_SENT),
		[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 },
		[CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 },
		};