{"id":2223686,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2223686/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260416013101.221555-4-pablo@netfilter.org/","project":{"id":26,"url":"http://patchwork.ozlabs.org/api/1.1/projects/26/?format=json","name":"Netfilter Development","link_name":"netfilter-devel","list_id":"netfilter-devel.vger.kernel.org","list_email":"netfilter-devel@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20260416013101.221555-4-pablo@netfilter.org>","date":"2026-04-16T01:30:50","name":"[net,03/14] netfilter: arp_tables: fix IEEE1394 ARP payload parsing in arp_packet_match()","commit_ref":null,"pull_url":null,"state":"superseded","archived":true,"hash":"bcda2d266df2a0edfbb93b3254262cbbd8ef5b07","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/1.1/people/1315/?format=json","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"delegate":{"id":11902,"url":"http://patchwork.ozlabs.org/api/1.1/users/11902/?format=json","username":"strlen","first_name":"Florian","last_name":"Westphal","email":"fw@strlen.de"},"mbox":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260416013101.221555-4-pablo@netfilter.org/mbox/","series":[{"id":500063,"url":"http://patchwork.ozlabs.org/api/1.1/series/500063/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=500063","date":"2026-04-16T01:30:47","name":"[net,01/14] netfilter: nft_fwd_netdev: use recursion counter in neigh egress path","version":1,"mbox":"http://patchwork.ozlabs.org/series/500063/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2223686/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2223686/checks/","tags":{},"headers":{"Return-Path":"\n <netfilter-devel+bounces-11949-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=p+3ST/Mj;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11949-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"p+3ST/Mj\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fx0qY6Ks0z1yG9\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 16 Apr 2026 11:32:09 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 48065311256F\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 16 Apr 2026 01:31:24 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 3C91A23C516;\n\tThu, 16 Apr 2026 01:31:15 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 670F7B640;\n\tThu, 16 Apr 2026 01:31:13 +0000 (UTC)","from localhost.localdomain (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with ESMTPSA id 1C9CD60181;\n\tThu, 16 Apr 2026 03:31:11 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776303074; cv=none;\n b=IoDiu0zgGV/Iw2JCoOieq9lhpNpH5LRsHQZVAotp+CIJNYnWjaBnzaLGbJPcwWPYlvdBHGEMtKxx4qB0wsT2roMH6D8bPYLaja8ZoaXYLD4wA/eQpv14LcAhUb4QY5rJotMysDrqQpZ0eh9ZQfcWttCvV/wch0Lxk97UwoeDTYI=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776303074; c=relaxed/simple;\n\tbh=E+TqY3nur+I/j7EktcUsc/tC9j0NrLrhL7r3Z7S4k0Q=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=esmatvy/Sa2Wl9rFCFuXq3TVxCfXBdY5WJ3Ep+jGDvEyS6cj1kyA++cnH0ZEtqNCUP8X2NzvMRVC+KVcNtPR7LMTNPoZI5n0GhKs3lDs4bjF/Cktz4oChQCxmKc5EcAtWqGUtFUDLk2EPSoeb33u7kaFpZ3kFDz9J3USuWT99no=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=p+3ST/Mj; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1776303071;\n\tbh=UKA+A3aFYBFFgnZcbNAbiR56Du+bLjEnS3Riajgl8fg=;\n\th=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n\tb=p+3ST/Mj4MsmKiS4ruy5p3jwy3l7PrQFLwblq5q/EOaxjpT0Y+UBj7vxErUxqX+KY\n\t gikKhnu/FmuY1b5s8uRs21N4k8gLQo4az9FMSQNqhtHsc9Q1vILz7b0zPYY5aTOTna\n\t TvmZrzEEG9aOYTZW8ChR/eyLNl+DVIVtnYh6IpOK1K7GwPufuBrVSJLzCi7HlTUHxu\n\t 7Fc9mt+4/XerfLkfzu2i79jSnd+NxZ1Klg7N+pjF8FH5fjvG1cxYVNXqao8R47cely\n\t f82IxLR5rjp2IKraFxyNLLt+Vjo5ouzFto7QobBfSj1iFW3vE5nuG3I4f+ERDXLqhr\n\t QEc9W7zr1Sa9A==","From":"Pablo Neira Ayuso <pablo@netfilter.org>","To":"netfilter-devel@vger.kernel.org","Cc":"davem@davemloft.net,\n\tnetdev@vger.kernel.org,\n\tkuba@kernel.org,\n\tpabeni@redhat.com,\n\tedumazet@google.com,\n\tfw@strlen.de,\n\thorms@kernel.org","Subject":"[PATCH net 03/14] netfilter: arp_tables: fix IEEE1394 ARP payload\n parsing in arp_packet_match()","Date":"Thu, 16 Apr 2026 03:30:50 +0200","Message-ID":"<20260416013101.221555-4-pablo@netfilter.org>","X-Mailer":"git-send-email 2.47.3","In-Reply-To":"<20260416013101.221555-1-pablo@netfilter.org>","References":"<20260416013101.221555-1-pablo@netfilter.org>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit"},"content":"From: Weiming Shi <bestswngs@gmail.com>\n\narp_packet_match() unconditionally parses the ARP payload assuming two\nhardware addresses are present (source and target). However,\nIPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address\nfield, and arp_hdr_len() already accounts for this by returning a\nshorter length for ARPHRD_IEEE1394 devices.\n\nAs a result, on IEEE1394 interfaces arp_packet_match() advances past a\nnonexistent target hardware address and reads the wrong bytes for both\nthe target device address comparison and the target IP address. This\ncauses arptables rules to match against garbage data, leading to\nincorrect filtering decisions: packets that should be accepted may be\ndropped and vice versa.\n\nThe ARP stack in net/ipv4/arp.c (arp_create and arp_process) already\nhandles this correctly by skipping the target hardware address for\nARPHRD_IEEE1394. Apply the same pattern to arp_packet_match().\n\n[ Pablo has mangled this patch to include Simon Horman's suggestions ]\n\nFixes: 6752c8db8e0c (\"firewire net, ipv4 arp: Extend hardware address and remove driver-level packet inspection.\")\nReported-by: Xiang Mei <xmei5@asu.edu>\nSigned-off-by: Weiming Shi <bestswngs@gmail.com>\nSigned-off-by: Florian Westphal <fw@strlen.de>\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>\n---\n net/ipv4/netfilter/arp_tables.c | 14 +++++++++++---\n 1 file changed, 11 insertions(+), 3 deletions(-)","diff":"diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c\nindex 1cdd9c28ab2d..a7a56890b5b5 100644\n--- a/net/ipv4/netfilter/arp_tables.c\n+++ b/net/ipv4/netfilter/arp_tables.c\n@@ -110,13 +110,21 @@ static inline int arp_packet_match(const struct arphdr *arphdr,\n \tarpptr += dev->addr_len;\n \tmemcpy(&src_ipaddr, arpptr, sizeof(u32));\n \tarpptr += sizeof(u32);\n-\ttgt_devaddr = arpptr;\n-\tarpptr += dev->addr_len;\n+\n+\tif (IS_ENABLED(CONFIG_FIREWIRE_NET) && dev->type == ARPHRD_IEEE1394) {\n+\t\ttgt_devaddr = NULL;\n+\t} else {\n+\t\ttgt_devaddr = arpptr;\n+\t\tarpptr += dev->addr_len;\n+\t}\n \tmemcpy(&tgt_ipaddr, arpptr, sizeof(u32));\n \n \tif (NF_INVF(arpinfo, ARPT_INV_SRCDEVADDR,\n \t\t    arp_devaddr_compare(&arpinfo->src_devaddr, src_devaddr,\n-\t\t\t\t\tdev->addr_len)) ||\n+\t\t\t\t\tdev->addr_len)))\n+\t\treturn 0;\n+\n+\tif (tgt_devaddr &&\n \t    NF_INVF(arpinfo, ARPT_INV_TGTDEVADDR,\n \t\t    arp_devaddr_compare(&arpinfo->tgt_devaddr, tgt_devaddr,\n \t\t\t\t\tdev->addr_len)))\n","prefixes":["net","03/14"]}