Message ID | 20210611170645.11245-1-phil@nwl.cc |
---|---|
State | Accepted |
Delegated to: | Pablo Neira |
Headers | show |
Series | [nf-next,v2] netfilter: nft_exthdr: Search chunks in SCTP packets only | expand |
On Fri, Jun 11, 2021 at 07:06:45PM +0200, Phil Sutter wrote: > Since user space does not generate a payload dependency, plain sctp > chunk matches cause searching in non-SCTP packets, too. Avoid this > potential mis-interpretation of packet data by checking pkt->tprot. Applied, thanks.
diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c index 7f705b5c09de8..9cf86be2cff4b 100644 --- a/net/netfilter/nft_exthdr.c +++ b/net/netfilter/nft_exthdr.c @@ -312,6 +312,9 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr, const struct sctp_chunkhdr *sch; struct sctp_chunkhdr _sch; + if (pkt->tprot != IPPROTO_SCTP) + goto err; + do { sch = skb_header_pointer(pkt->skb, offset, sizeof(_sch), &_sch); if (!sch || !sch->length) @@ -334,7 +337,7 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr, } offset += SCTP_PAD4(ntohs(sch->length)); } while (offset < pkt->skb->len); - +err: if (priv->flags & NFT_EXTHDR_F_PRESENT) nft_reg_store8(dest, false); else
Since user space does not generate a payload dependency, plain sctp chunk matches cause searching in non-SCTP packets, too. Avoid this potential mis-interpretation of packet data by checking pkt->tprot. Fixes: 133dc203d77df ("netfilter: nft_exthdr: Support SCTP chunks") Signed-off-by: Phil Sutter <phil@nwl.cc> --- Changes since v1: - Drop pointless check of tprot_set value. --- net/netfilter/nft_exthdr.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)