Commit d5953d68 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso
Browse files

netfilter: nft_payload: sanitize offset and length before calling skb_checksum() 



If access to offset + length is larger than the skbuff length, then
skb_checksum() triggers BUG_ON().

skb_checksum() internally subtracts the length parameter while iterating
over skbuff, BUG_ON(len) at the end of it checks that the expected
length to be included in the checksum calculation is fully consumed.

Fixes: 7ec3f7b4 ("netfilter: nft_payload: add packet mangling support")
Reported-by: default avatarSlavin Liu <slavin-ayu@qq.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 4ed234fe

net/netfilter/nft_payload.c

+3 −0
Original line number Diff line number Diff line
@@ -904,6 +904,9 @@ static void nft_payload_set_eval(const struct nft_expr *expr, 
	    ((priv->base != NFT_PAYLOAD_TRANSPORT_HEADER &&

	      priv->base != NFT_PAYLOAD_INNER_HEADER) ||

	     skb->ip_summed != CHECKSUM_PARTIAL)) {

		if (offset + priv->len > skb->len)

			goto err;



		fsum = skb_checksum(skb, offset, priv->len, 0);

		tsum = csum_partial(src, priv->len, 0);