From patchwork Thu Apr 20 12:44:21 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dave Johnson X-Patchwork-Id: 752788 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3w7z8j5gYHz9s7L for ; Thu, 20 Apr 2017 22:44:37 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965942AbdDTMog (ORCPT ); Thu, 20 Apr 2017 08:44:36 -0400 Received: from lexington.centerclick.org ([72.0.224.86]:37473 "EHLO lexington.centerclick.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S945367AbdDTMoX (ORCPT ); Thu, 20 Apr 2017 08:44:23 -0400 Received: from alliance.centerclick.org (alliance.centerclick.org [IPv6:2606:8800:21:fe60::10]) by lexington.centerclick.org (Postfix) with ESMTP id F328DEE0D8; Thu, 20 Apr 2017 08:44:21 -0400 (EDT) Received: from intrepid-wired.ind.centerclick.org ([10.10.63.2] helo=intrepid) by alliance.centerclick.org with esmtp (Exim 3.36 #1 (Debian)) id 1d1BRd-0006Qc-00; Thu, 20 Apr 2017 08:44:21 -0400 MIME-Version: 1.0 Message-ID: <22776.44325.616928.335465@gargle.gargle.HOWL> Date: Thu, 20 Apr 2017 08:44:21 -0400 From: Dave Johnson To: netfilter-devel@vger.kernel.org, coreteam@netfilter.org Subject: [PATCH] netfilter: Wrong icmp6 checksum for ICMPV6_TIME_EXCEED in reverse SNATv6 path In-Reply-To: <22774.51265.265373.257836@gargle.gargle.HOWL> References: <22774.51265.265373.257836@gargle.gargle.HOWL> X-Mailer: VM 8.0.12-devo-585 under 21.4 (patch 22) "Instant Classic" XEmacs Lucid (i486-linux-gnu) Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org When recalculating the outer ICMPv6 checksum for a reverse path NATv6 such as ICMPV6_TIME_EXCEED nf_nat_icmpv6_reply_translation() was accessing data beyond the headlen of the skb for non-linear skb. This resulted in incorrect ICMPv6 checksum as garbage data was used. Signed-off-by: Dave Johnson --- -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff -rup linux-4.9.23.orig/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c linux-4.9.23/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c --- linux-4.9.23.orig/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c 2017-04-18 01:12:30.000000000 -0400 +++ linux-4.9.23/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c 2017-04-20 08:13:41.070493666 -0400 @@ -229,7 +229,12 @@ int nf_nat_icmpv6_reply_translation(stru return 0; if (skb->ip_summed != CHECKSUM_PARTIAL) { - struct ipv6hdr *ipv6h = ipv6_hdr(skb); + struct ipv6hdr *ipv6h; + + if (!skb_make_writable(skb, skb->len)) + return 0; + + ipv6h = ipv6_hdr(skb); inside = (void *)skb->data + hdrlen; inside->icmp6.icmp6_cksum = 0; inside->icmp6.icmp6_cksum =