[{"id":3676618,"web_url":"http://patchwork.ozlabs.org/comment/3676618/","msgid":"","list_archive_url":null,"date":"2026-04-13T09:47:13","subject":"Re: [PATCH 6.12.y] netfilter: conntrack: add missing netlink policy\n validations","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"Why only 6.12?\n\nOn Mon, Apr 13, 2026 at 03:31:05PM +0800, Li hongliang wrote:\n> From: Florian Westphal \n> \n> [ Upstream commit f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05 ]\n> \n> Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink.\n> \n> These attributes are used by the kernel without any validation.\n> Extend the netlink policies accordingly.\n> \n> Quoting the reporter:\n> nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE\n> value directly to ct->proto.sctp.state without checking that it is\n> within the valid range. [..]\n> \n> and: ... with exp->dir = 100, the access at\n> ct->master->tuplehash[100] reads 5600 bytes past the start of a\n> 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by\n> UBSAN.\n> \n> Fixes: 076a0ca02644 (\"netfilter: ctnetlink: add NAT support for expectations\")\n> Fixes: a258860e01b8 (\"netfilter: ctnetlink: add full support for SCTP to ctnetlink\")\n> Reported-by: Hyunwoo Kim \n> Signed-off-by: Florian Westphal \n> Signed-off-by: Li hongliang <1468888505@139.com>\n> ---\n> net/netfilter/nf_conntrack_netlink.c | 2 +-\n> net/netfilter/nf_conntrack_proto_sctp.c | 3 ++-\n> 2 files changed, 3 insertions(+), 2 deletions(-)\n> \n> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c\n> index 323e147fe282..f51cdfba68fb 100644\n> --- a/net/netfilter/nf_conntrack_netlink.c\n> +++ b/net/netfilter/nf_conntrack_netlink.c\n> @@ -3460,7 +3460,7 @@ ctnetlink_change_expect(struct nf_conntrack_expect *x,\n> \n> #if IS_ENABLED(CONFIG_NF_NAT)\n> static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = {\n> -\t[CTA_EXPECT_NAT_DIR]\t= { .type = NLA_U32 },\n> +\t[CTA_EXPECT_NAT_DIR]\t= NLA_POLICY_MAX(NLA_BE32, IP_CT_DIR_REPLY),\n> \t[CTA_EXPECT_NAT_TUPLE]\t= { .type = NLA_NESTED },\n> };\n> #endif\n> diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c\n> index 4cc97f971264..fabb2c1ca00a 100644\n> --- a/net/netfilter/nf_conntrack_proto_sctp.c\n> +++ b/net/netfilter/nf_conntrack_proto_sctp.c\n> @@ -587,7 +587,8 @@ static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,\n> }\n> \n> static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {\n> -\t[CTA_PROTOINFO_SCTP_STATE]\t = { .type = NLA_U8 },\n> +\t[CTA_PROTOINFO_SCTP_STATE]\t = NLA_POLICY_MAX(NLA_U8,\n> +\t\t\t\t\t\t\t SCTP_CONNTRACK_HEARTBEAT_SENT),\n> \t[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 },\n> \t[CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 },\n> };\n> -- \n> 2.34.1\n> \n>","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=ZD4W9kNu;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11842-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"ZD4W9kNu\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fvN790zn3z1yDF\n\tfor ; Mon, 13 Apr 2026 19:55:01 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 4D3F7303E48F\n\tfor ; Mon, 13 Apr 2026 09:47:23 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id D3C303B388A;\n\tMon, 13 Apr 2026 09:47:21 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 2296D36404A;\n\tMon, 13 Apr 2026 09:47:18 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id 867C860177;\n\tMon, 13 Apr 2026 11:47:16 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776073641; cv=none;\n b=ubAMoRnZUng7jUIMeP29lbydPwT3mTxaV3ixF2fNZs993Q9RSQNMq+JxKelVPZa3AyUiRfyiRlfcw4F/YErc1ULNYiZo64cT8lQIknDXZISrxYu8GL7YipVy52SImsfq2bszuRCfR9ndMhQ84AMAJx/N9KwLo8/mfZpYNpuVXrU=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776073641; c=relaxed/simple;\n\tbh=4aOb6ThLDBQYCx+aG1KLR6zwtxTjCP+veRl36Kco2eo=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=lfjXlWYQ+BikFZkOfl6BeV+QBib94NliXn+mqHV6ev20hUKuTHSimBOg3tyulA0qs1vDi/Z9ItRRoQSUaMpCKGMXry5pMlqBW6nUoGkhSnKLIKn6IzS3c5q6t10kJiOxy1Fw8HYYhrGvf/fp9cRU8FCxjyhbc5QF6FOQAB5HzKA=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=ZD4W9kNu; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1776073636;\n\tbh=pqKjOvCMf0uhkn7M/yAMIhfsnybJGiM7MI7A8LqwbwY=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=ZD4W9kNuzSdcIhn28usvUu5YdOueHnKtT3fEDGoIfaHMZwbPm9RmncOhgTg3mMwkn\n\t xoxo9PKfnyhIpnrz6ue9dnhVTiqFk6VnHFqq+tnpOWcWW1mYsY9B9uQF/x8bTH/JOk\n\t piNxO7BoKj/F9UcmWDXAwzCMPTtkeJvmtrDtYEc4axDdOOKKR9CiJirNzwomNwxf1H\n\t xCMiXqo3o2cR87kj1Wh8vaXB/XaNoaB50zFinbjstYoxmltTz7PYEvO1yoZS62wpXO\n\t RD6/DLUlwH+1SGbsi2vCxOJzl9PEQ0Zx58UEzSBSje/4M4YnwtjRStsK0zok2E9kO4\n\t Cly0m/iILmytw==","Date":"Mon, 13 Apr 2026 11:47:13 +0200","From":"Pablo Neira Ayuso ","To":"Li hongliang <1468888505@139.com>","Cc":"gregkh@linuxfoundation.org, stable@vger.kernel.org, fw@strlen.de,\n\tpatches@lists.linux.dev, linux-kernel@vger.kernel.org,\n\tkadlec@netfilter.org, davem@davemloft.net, edumazet@google.com,\n\tkuba@kernel.org, pabeni@redhat.com, horms@kernel.org,\n\tkaber@trash.net, netfilter-devel@vger.kernel.org,\n\tcoreteam@netfilter.org, netdev@vger.kernel.org, imv4bel@gmail.com","Subject":"Re: [PATCH 6.12.y] netfilter: conntrack: add missing netlink policy\n validations","Message-ID":"","References":"<20260413073105.2990210-1-1468888505@139.com>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<20260413073105.2990210-1-1468888505@139.com>"}}]