| Message ID | 20180517134949.9979-1-ap420073@gmail.com |
|---|---|
| State | Accepted |
| Delegated to: | Pablo Neira |
| Headers | show |
| Series | [nf-next] netfilter: nft_meta: fix wrong value dereference in nft_meta_set_eval | expand |
Taehee Yoo <ap420073@gmail.com> wrote: > In the nft_meta_set_eval, nftrace value is dereferenced as u32 from sreg. > But correct type is u8. so that sometimes incorrect value is dereferenced. Acked-by: Florian Westphal <fw@strlen.de> -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, May 17, 2018 at 10:49:49PM +0900, Taehee Yoo wrote: > In the nft_meta_set_eval, nftrace value is dereferenced as u32 from sreg. > But correct type is u8. so that sometimes incorrect value is dereferenced. > > Steps to reproduce: > > %nft add table ip filter > %nft add chain ip filter input { type filter hook input priority 4\; } > %nft add rule ip filter input nftrace set 0 > %nft monitor > > Sometimes, we can see trace messages. > > trace id 16767227 ip filter input packet: iif "enp2s0" > ether saddr xx:xx:xx:xx:xx:xx ether daddr xx:xx:xx:xx:xx:xx > ip saddr 192.168.0.1 ip daddr 255.255.255.255 ip dscp cs0 > ip ecn not-ect ip > trace id 16767227 ip filter input rule nftrace set 0 (verdict continue) > trace id 16767227 ip filter input verdict continue > trace id 16767227 ip filter input Applied to nf.git, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c index 5348bd0..1105a23 100644 --- a/net/netfilter/nft_meta.c +++ b/net/netfilter/nft_meta.c @@ -259,7 +259,7 @@ static void nft_meta_set_eval(const struct nft_expr *expr, struct sk_buff *skb = pkt->skb; u32 *sreg = ®s->data[meta->sreg]; u32 value = *sreg; - u8 pkt_type; + u8 value8; switch (meta->key) { case NFT_META_MARK: @@ -269,15 +269,17 @@ static void nft_meta_set_eval(const struct nft_expr *expr, skb->priority = value; break; case NFT_META_PKTTYPE: - pkt_type = nft_reg_load8(sreg); + value8 = nft_reg_load8(sreg); - if (skb->pkt_type != pkt_type && - skb_pkt_type_ok(pkt_type) && + if (skb->pkt_type != value8 && + skb_pkt_type_ok(value8) && skb_pkt_type_ok(skb->pkt_type)) - skb->pkt_type = pkt_type; + skb->pkt_type = value8; break; case NFT_META_NFTRACE: - skb->nf_trace = !!value; + value8 = nft_reg_load8(sreg); + + skb->nf_trace = !!value8; break; default: WARN_ON(1);
In the nft_meta_set_eval, nftrace value is dereferenced as u32 from sreg. But correct type is u8. so that sometimes incorrect value is dereferenced. Steps to reproduce: %nft add table ip filter %nft add chain ip filter input { type filter hook input priority 4\; } %nft add rule ip filter input nftrace set 0 %nft monitor Sometimes, we can see trace messages. trace id 16767227 ip filter input packet: iif "enp2s0" ether saddr xx:xx:xx:xx:xx:xx ether daddr xx:xx:xx:xx:xx:xx ip saddr 192.168.0.1 ip daddr 255.255.255.255 ip dscp cs0 ip ecn not-ect ip trace id 16767227 ip filter input rule nftrace set 0 (verdict continue) trace id 16767227 ip filter input verdict continue trace id 16767227 ip filter input Signed-off-by: Taehee Yoo <ap420073@gmail.com> --- net/netfilter/nft_meta.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-)