[{"id":3676864,"web_url":"http://patchwork.ozlabs.org/comment/3676864/","msgid":"<ad0ncfqrrUWrYOmo@chamomile>","list_archive_url":null,"date":"2026-04-13T17:27:58","subject":"Re: [PATCH] netfilter: nfnetlink_cthelper: fix expect policy update\n copying only first class values to all classes","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"On Mon, Apr 13, 2026 at 04:48:22PM +0800, Dudu Lu wrote:\n> In nfnl_cthelper_update_policy_all(), when updating the expect policies\n> of a multi-class conntrack helper, the loop iterates over all expect\n> classes but always reads from new_policy[0] instead of new_policy[i]:\n> \n>     for (i = 0; i < helper->expect_class_max + 1; i++) {\n>         policy = &helper->expect_policy[i];\n>         policy->max_expected = new_policy->max_expected;  /* always [0] */\n>         policy->timeout      = new_policy->timeout;       /* always [0] */\n>     }\n> \n> The new_policy array was correctly parsed per-class by\n> nfnl_cthelper_update_policy_one() in the validation loop above (line\n> 336-342), with each new_policy[i] holding its respective class values.\n> However, the copy loop dereferences new_policy as a pointer\n> (new_policy->x) rather than indexing it as an array\n> (new_policy[i].x), creating a security vulnerability.\n> \n> As a result, all expect classes of a multi-class helper get overwritten\n> with the values of class 0, discarding the per-class differentiation.\n> \n> This affects helpers like H.323 which use multiple expect classes\n> (RTP, RTCP, T.120) with different max_expected and timeout values.\n> After a policy update, all classes get identical limits, breaking the\n> per-class expect enforcement.\n\nNot really. Such helpers do not exists in userspace, and this is fully\nuserspace conntrack helper infrastructure.\n\nThis is nf-next material: I think no userspace helper is using more\nthan one single expectation class at this stage.\n\n> Fix by indexing new_policy with the loop variable.\n> \n> Fixes: 2c422257550f (\"netfilter: nfnl_cthelper: fix runtime expectation policy updates\")\n> Signed-off-by: Dudu Lu <phx0fer@gmail.com>\n> ---\n>  net/netfilter/nfnetlink_cthelper.c | 4 ++--\n>  1 file changed, 2 insertions(+), 2 deletions(-)\n> \n> diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c\n> index d545fa459455..1e605d77796d 100644\n> --- a/net/netfilter/nfnetlink_cthelper.c\n> +++ b/net/netfilter/nfnetlink_cthelper.c\n> @@ -346,8 +346,8 @@ static int nfnl_cthelper_update_policy_all(struct nlattr *tb[],\n>  \tfor (i = 0; i < helper->expect_class_max + 1; i++) {\n>  \t\tpolicy = (struct nf_conntrack_expect_policy *)\n>  \t\t\t\t&helper->expect_policy[i];\n> -\t\tpolicy->max_expected = new_policy->max_expected;\n> -\t\tpolicy->timeout\t= new_policy->timeout;\n> +\t\tpolicy->max_expected = new_policy[i].max_expected;\n> +\t\tpolicy->timeout\t= new_policy[i].timeout;\n>  \t}\n>  \n>  err:\n> -- \n> 2.39.3 (Apple Git-145)\n>","headers":{"Return-Path":"\n <netfilter-devel+bounces-11848-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=j4xX5vwB;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.105.105.114; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11848-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"j4xX5vwB\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org [172.105.105.114])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fvZDY5wqdz1yDG\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 14 Apr 2026 03:30:21 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 98D5D302E0C5\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 13 Apr 2026 17:28:10 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id A198A34DB77;\n\tMon, 13 Apr 2026 17:28:07 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 81F8D348875\n\tfor <netfilter-devel@vger.kernel.org>; Mon, 13 Apr 2026 17:28:04 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id BBABA6031A;\n\tMon, 13 Apr 2026 19:28:01 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776101286; cv=none;\n b=XwlR62lSPLKMZ201zc+NyXj3Vset/ojFpzjk3B40HXLWWKVuQW25wJJ7PowhI4H6FJcZfmtWO+Jp6Lkz+d9ymoDx4XHp2UYMZrmlvNeJlbbIrqPyxWIM8IOgvNakPpsep2ZFuC1mRWsGf3hsz8qjW38XNuw6udyU8MS5y2Tq9Wc=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776101286; c=relaxed/simple;\n\tbh=dJFYfkQqVGwuwxX3yZYI4Tni7a4AG3e3yXre3dXWabI=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=dT54Iypddy1nR4gfkAsJjbsnOa1Zr8uRlD69dy5VwTJ1yivKSi/uNdIW8upcGKHWhXMwICDm96YYLDCLzjQBH17xTswV895jlAaxF8Du0kAOHeNw0xc9KTdZqgF3UVPNR+KOMmrFUUWCQcLdnbXrXWB0/WDQhVLb5d+dS+BBPA4=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=j4xX5vwB; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1776101281;\n\tbh=EwaUd21I0dYv0NALe43F7GOToWI4Vk+T3pbJApr0yGs=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=j4xX5vwBHBnIc6PqLF2KsM0ik8eb0jZoTAlH+n3ngPYYIbLVCGXeUByqiramt10Xm\n\t TKYdq6j74H9eJIzXx5ZjVo3Gcwog7ltUNBwJ5y8Z/kgokOChIQon45FoxG8xCgfDWm\n\t mQfXYKFNkRPZ7Oe6jQ/ljWR1p94lP00du1uaHhshJIIZqFtKvifvEchohDamuaqukF\n\t awDbrvJerqoVOhUiHPvCeLLfWfH4oYCAz8WbNiqs62rExE22OZGTwme9yIHi43RCkA\n\t 9dF2DKul/IkoffpzGNW9MsDkySMtN7KMUS9PYqc4H4hxbfHMxuxG7KDfsz7Bym5DZY\n\t +4bafrUGNF7DA==","Date":"Mon, 13 Apr 2026 19:27:58 +0200","From":"Pablo Neira Ayuso <pablo@netfilter.org>","To":"Dudu Lu <phx0fer@gmail.com>","Cc":"netfilter-devel@vger.kernel.org, fw@strlen.de","Subject":"Re: [PATCH] netfilter: nfnetlink_cthelper: fix expect policy update\n copying only first class values to all classes","Message-ID":"<ad0ncfqrrUWrYOmo@chamomile>","References":"<20260413084822.70754-1-phx0fer@gmail.com>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<20260413084822.70754-1-phx0fer@gmail.com>"}}]