From patchwork Fri Mar 23 18:15:37 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Felix Fietkau X-Patchwork-Id: 890096 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=nbd.name Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=nbd.name header.i=@nbd.name header.b="EAkX3eWR"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 407BYL6yKMz9s1b for ; Sat, 24 Mar 2018 05:15:50 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752261AbeCWSPr (ORCPT ); Fri, 23 Mar 2018 14:15:47 -0400 Received: from nbd.name ([46.4.11.11]:35876 "EHLO nbd.name" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752203AbeCWSPq (ORCPT ); Fri, 23 Mar 2018 14:15:46 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nbd.name; s=20160729; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Xz/k01welpPx7Ekse1eKZS1BwCvYd5rrMh5RKrPCBw4=; b=EAkX3eWR8IkKKlPUY5mZfe6A61 8qwwQfPYD4WG/QOtsKuSwS6sGvyTfzLH44eR4kFirDACwLf2+ONf658Anx0zSrmD3XIcn45hrWv8N 7SHrvmsHqPRbDXuSuqH8xWb2rSPrrQ58ks9VyGNB7aOuy4HQnryVDRvY8ENma2t6px1o=; Received: by maeck.lan (Postfix, from userid 501) id A21BB1DBDA7C; Fri, 23 Mar 2018 19:15:38 +0100 (CET) From: Felix Fietkau To: netfilter-devel@vger.kernel.org Cc: pablo@netfilter.org, nbd@nbd.name Subject: [PATCH 1/2] netfilter: nf_flow_table: add missing condition for TCP state check Date: Fri, 23 Mar 2018 19:15:37 +0100 Message-Id: <20180323181538.14247-1-nbd@nbd.name> X-Mailer: git-send-email 2.14.2 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Avoid looking at unrelated fields in UDP packets Signed-off-by: Felix Fietkau --- net/netfilter/nf_flow_table_ip.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c index 4e0ed49079f8..c2d1685365d8 100644 --- a/net/netfilter/nf_flow_table_ip.c +++ b/net/netfilter/nf_flow_table_ip.c @@ -15,11 +15,14 @@ #include #include -static int nf_flow_tcp_state_check(struct flow_offload *flow, - struct sk_buff *skb, unsigned int thoff) +static int nf_flow_state_check(struct flow_offload *flow, int proto, + struct sk_buff *skb, unsigned int thoff) { struct tcphdr *tcph; + if (proto != IPPROTO_TCP) + return 0; + if (!pskb_may_pull(skb, thoff + sizeof(*tcph))) return -1; @@ -248,7 +251,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb, return NF_DROP; thoff = ip_hdr(skb)->ihl * 4; - if (nf_flow_tcp_state_check(flow, skb, thoff)) + if (nf_flow_state_check(flow, ip_hdr(skb)->protocol, skb, thoff)) return NF_ACCEPT; if (flow->flags & (FLOW_OFFLOAD_SNAT | FLOW_OFFLOAD_DNAT) && @@ -460,7 +463,8 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb, if (unlikely(nf_flow_exceeds_mtu(skb, flow->tuplehash[dir].tuple.mtu))) return NF_ACCEPT; - if (nf_flow_tcp_state_check(flow, skb, sizeof(*ip6h))) + if (nf_flow_state_check(flow, ipv6_hdr(skb)->nexthdr, skb, + sizeof(*ip6h))) return NF_ACCEPT; if (skb_try_make_writable(skb, sizeof(*ip6h)))