| Message ID | 20260511173048.7256-1-zhaoyz24@mails.tsinghua.edu.cn |
|---|---|
| State | Accepted, archived |
| Headers | show |
| Series | [v2,nf] netfilter: nft_inner: Fix IPv6 inner_thoff desync | expand |
On 5/11/26 7:30 PM, Yizhou Zhao wrote: > In nft_inner_parse_l2l3(), when processing inner IPv6 packets, > ipv6_find_hdr() correctly computes the transport header offset > traversing all extension headers, but the result is immediately > overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only > accounts for the IPv6 base header. This creates a desync between > inner_thoff (wrong — points to extension header start) and l4proto > (correct — e.g., IPPROTO_TCP), enabling transport header forgery > and potential firewall bypass. This issue affects stable versions > from Linux 6.2. > > For comparison, the normal (non-inner) IPv6 path correctly > preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite > ensures that ipv6_find_hdr()'s calculated transport header offset is > preserved, thereby fixing the desynchronization. > > Fixes: 3a07327d10a0 ("netfilter: nft_inner: support for inner tunnel header matching") > Cc: stable@vger.kernel.org > Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn> > Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn> > Reported-by: Xuewei Feng <fengxw06@126.com> > Reported-by: Qi Li <qli01@tsinghua.edu.cn> > Reported-by: Ke Xu <xuke@tsinghua.edu.cn> > Assisted-by: GLM:5.1 Z.ai > Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn> Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
diff --git a/net/netfilter/nft_inner.c b/net/netfilter/nft_inner.c index c4569d4b9..1b3e7a976 100644 --- a/net/netfilter/nft_inner.c +++ b/net/netfilter/nft_inner.c @@ -163,7 +163,6 @@ static int nft_inner_parse_l2l3(const struct nft_inner *priv, return -1; if (fragoff == 0) { - thoff = nhoff + sizeof(_ip6h); ctx->flags |= NFT_PAYLOAD_CTX_INNER_TH; ctx->inner_thoff = thoff; ctx->l4proto = l4proto;
In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2. For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization. Fixes: 3a07327d10a0 ("netfilter: nft_inner: support for inner tunnel header matching") Cc: stable@vger.kernel.org Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn> Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn> Reported-by: Xuewei Feng <fengxw06@126.com> Reported-by: Qi Li <qli01@tsinghua.edu.cn> Reported-by: Ke Xu <xuke@tsinghua.edu.cn> Assisted-by: GLM:5.1 Z.ai Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn> --- Changes in v2: - Fix the format - Link to v1: https://lore.kernel.org/netfilter-devel/20260510131953.32790-1-zhaoyz24@mails.tsinghua.edu.cn/ --- net/netfilter/nft_inner.c | 1 - 1 file changed, 1 deletion(-)