@@ -13,6 +13,7 @@ static unsigned int
target(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct arpt_mangle *mangle = par->targinfo;
+ bool has_tgt_devaddr = true;
const struct arphdr *arp;
unsigned char *arpptr;
int pln, hln;
@@ -39,13 +40,22 @@ target(struct sk_buff *skb, const struct xt_action_param *par)
memcpy(arpptr, &mangle->u_s.src_ip, pln);
}
arpptr += pln;
+
+ if (arp->ar_hrd == htons(ARPHRD_IEEE1394))
+ has_tgt_devaddr = false;
+
if (mangle->flags & ARPT_MANGLE_TDEV) {
+ if (!has_tgt_devaddr)
+ return NF_DROP;
+
if (ARPT_DEV_ADDR_LEN_MAX < hln ||
(arpptr + hln > skb_tail_pointer(skb)))
return NF_DROP;
memcpy(arpptr, mangle->tgt_devaddr, hln);
}
- arpptr += hln;
+ if (has_tgt_devaddr)
+ arpptr += hln;
+
if (mangle->flags & ARPT_MANGLE_TIP) {
if (ARPT_MANGLE_ADDR_LEN_MAX < pln ||
(arpptr + pln > skb_tail_pointer(skb)))
sashiko.dev noticed that similar bug pattern exists in arpt_mangle: "IEEE1394 ARP payloads omit the target hardware address, advancing arpptr by hln after the source IP address skips over the actual target IP address." Apply similar fix: If we're asked to mangle what doesn't exist, drop the packet. Fixes: 6752c8db8e0c ("firewire net, ipv4 arp: Extend hardware address and remove driver-level packet inspection.") Signed-off-by: Florian Westphal <fw@strlen.de> --- v2: Just check ar_hrd. I do not know why the arp_tables.c change used dev->type instead. Also NOONE uses this feature and we could even completely ignore it, there is no crash and users can already use arptables to skip such frames. IOW, from a certain POV the report *IS* bullshit. I propose we keep these patches back to focus on real bugs instead, theer are plenty enough as-is. net/ipv4/netfilter/arpt_mangle.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-)