diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2024-10-30 23:13:48 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-11-08 16:22:02 +0100 |
| commit | e3e608cbad376674d19a71ccd0d41804d9393f02 (patch) | |
| tree | b2fa2e25db248d8451d69a1683370c5b5d3c5606 /net | |
| parent | a27a5c40ee4cbe00294e2c76160de5f2589061ba (diff) | |
| download | linux-e3e608cbad376674d19a71ccd0d41804d9393f02.tar.gz linux-e3e608cbad376674d19a71ccd0d41804d9393f02.tar.bz2 linux-e3e608cbad376674d19a71ccd0d41804d9393f02.zip | |
netfilter: nft_payload: sanitize offset and length before calling skb_checksum()
[ Upstream commit d5953d680f7e96208c29ce4139a0e38de87a57fe ]
If access to offset + length is larger than the skbuff length, then
skb_checksum() triggers BUG_ON().
skb_checksum() internally subtracts the length parameter while iterating
over skbuff, BUG_ON(len) at the end of it checks that the expected
length to be included in the checksum calculation is fully consumed.
Fixes: 7ec3f7b47b8d ("netfilter: nft_payload: add packet mangling support")
Reported-by: Slavin Liu <slavin-ayu@qq.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/netfilter/nft_payload.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c index fa64b1b8ae91..f607cd7f203a 100644 --- a/net/netfilter/nft_payload.c +++ b/net/netfilter/nft_payload.c @@ -618,6 +618,9 @@ static void nft_payload_set_eval(const struct nft_expr *expr, if ((priv->csum_type == NFT_PAYLOAD_CSUM_INET || priv->csum_flags) && (priv->base != NFT_PAYLOAD_TRANSPORT_HEADER || skb->ip_summed != CHECKSUM_PARTIAL)) { + if (offset + priv->len > skb->len) + goto err; + fsum = skb_checksum(skb, offset, priv->len, 0); tsum = csum_partial(src, priv->len, 0); |