1

netfilter pull request 24-10-31

-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEjF9xRqF1emXiQiqU1w0aZmrPKyEFAmcjVIwACgkQ1w0aZmrP
 KyGfKA/+Nhj8MpYPl/TiaWitL9quL8ExcSr8DBJPlG0w/LzlrdYZqKvgxUfTDHKi
 GYnfgFrHlrNG0E6HiWS8RPzjJjT8of/hrnFU/pMkGh97hQpDLkkoG9/wAScO3NGQ
 c8roORHe3gSH1ZR6ExCy6wdw1aUxGzA7amZULDc+bU64KamGgFoBTSI/YG0bW0FI
 s5waIGtqfo/Wg+uyRv5Ny477aWIrWTjhG0T/64lziPws9rZ40cTfg8N22PVX0Yog
 pojOC8mpMyys5hNu6UBB0pdX5J6ARO1seK0aj1i+XEkJYHb1u9/oySfVoI0yqQ3Y
 9Kt8nc/NvBoOvK2xlLApYIHC8//YCAE94n6JwrZPyb16L93yxhpGO3kZNq6ydJdU
 2tgv23clW3keMvJijICc0bxQdUqwKdQZcLRwkVAvXAWvOCI9x72Y6GeJS4xRnnBF
 RDug6uuLMVoh9UlUZ95HiXsFLzilXtkFHGaG0KjEKdIECgajTBlcwpFyDGktto44
 XVr4cjTQ5amUVqfcG7ycFLsVjk8dYEkYbTE6FMenSAeFIYzo+D8xQnoMKFYE+IXt
 C229Z9FZJvmbduZEoeaMI24CnV4P0HjNPvrTMw8go2iSbi89fLPEscCS/z/eUqQS
 4FB+E93LaCKhSYujQIAB+sZcNlG0Q8+7f10mv8SsNZxJZmPOIeU=
 =RHbi
 -----END PGP SIGNATURE-----

Merge tag 'nf-24-10-31' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

Pablo Neira Ayuso says:

====================
The following patchset contains Netfilter fixes for net:

1) Remove unused parameters in conntrack_dump_flush.c used by
   selftests, from Liu Jing.

2) Fix possible UaF when removing xtables module via getsockopt()
   interface, from Dong Chenchen.

3) Fix potential crash in nf_send_reset6() reported by syzkaller.
   From Eric Dumazet

4) Validate offset and length before calling skb_checksum()
   in nft_payload, otherwise hitting BUG() is possible.

netfilter pull request 24-10-31

* tag 'nf-24-10-31' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
  netfilter: nft_payload: sanitize offset and length before calling skb_checksum()
  netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6()
  netfilter: Fix use-after-free in get_info()
  selftests: netfilter: remove unused parameter
====================

Link: https://patch.msgid.link/
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
This commit is contained in:
Paolo Abeni 2024-10-31 12:13:08 +01:00
commit 50ae879de1
4 changed files with 14 additions and 12 deletions

View File

@ -268,12 +268,12 @@ static int nf_reject6_fill_skb_dst(struct sk_buff *skb_in)
void nf_send_reset6(struct net *net, struct sock *sk, struct sk_buff *oldskb,
int hook)
{
struct sk_buff *nskb;
struct tcphdr _otcph;
const struct tcphdr *otcph;
unsigned int otcplen, hh_len;
const struct ipv6hdr *oip6h = ipv6_hdr(oldskb);
struct dst_entry *dst = NULL;
const struct tcphdr *otcph;
struct sk_buff *nskb;
struct tcphdr _otcph;
unsigned int otcplen;
struct flowi6 fl6;
if ((!(ipv6_addr_type(&oip6h->saddr) & IPV6_ADDR_UNICAST)) ||
@ -312,9 +312,8 @@ void nf_send_reset6(struct net *net, struct sock *sk, struct sk_buff *oldskb,
if (IS_ERR(dst))
return;
hh_len = (dst->dev->hard_header_len + 15)&~15;
nskb = alloc_skb(hh_len + 15 + dst->header_len + sizeof(struct ipv6hdr)
+ sizeof(struct tcphdr) + dst->trailer_len,
nskb = alloc_skb(LL_MAX_HEADER + sizeof(struct ipv6hdr) +
sizeof(struct tcphdr) + dst->trailer_len,
GFP_ATOMIC);
if (!nskb) {
@ -327,7 +326,7 @@ void nf_send_reset6(struct net *net, struct sock *sk, struct sk_buff *oldskb,
nskb->mark = fl6.flowi6_mark;
skb_reserve(nskb, hh_len + dst->header_len);
skb_reserve(nskb, LL_MAX_HEADER);
nf_reject_ip6hdr_put(nskb, oldskb, IPPROTO_TCP, ip6_dst_hoplimit(dst));
nf_reject_ip6_tcphdr_put(nskb, oldskb, otcph, otcplen);

View File

@ -904,6 +904,9 @@ static void nft_payload_set_eval(const struct nft_expr *expr,
((priv->base != NFT_PAYLOAD_TRANSPORT_HEADER &&
priv->base != NFT_PAYLOAD_INNER_HEADER) ||
skb->ip_summed != CHECKSUM_PARTIAL)) {
if (offset + priv->len > skb->len)
goto err;
fsum = skb_checksum(skb, offset, priv->len, 0);
tsum = csum_partial(src, priv->len, 0);

View File

@ -1269,7 +1269,7 @@ struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af,
/* and once again: */
list_for_each_entry(t, &xt_net->tables[af], list)
if (strcmp(t->name, name) == 0)
if (strcmp(t->name, name) == 0 && owner == t->me)
return t;
module_put(owner);

View File

@ -98,7 +98,7 @@ static int conntrack_data_insert(struct mnl_socket *sock, struct nlmsghdr *nlh,
char buf[MNL_SOCKET_BUFFER_SIZE];
struct nlmsghdr *rplnlh;
unsigned int portid;
int err, ret;
int ret;
portid = mnl_socket_get_portid(sock);
@ -217,7 +217,7 @@ static int conntracK_count_zone(struct mnl_socket *sock, uint16_t zone)
struct nfgenmsg *nfh;
struct nlattr *nest;
unsigned int portid;
int err, ret;
int ret;
portid = mnl_socket_get_portid(sock);
@ -264,7 +264,7 @@ static int conntrack_flush_zone(struct mnl_socket *sock, uint16_t zone)
struct nfgenmsg *nfh;
struct nlattr *nest;
unsigned int portid;
int err, ret;
int ret;
portid = mnl_socket_get_portid(sock);