From: Florian Westphal <fw@strlen.de>
To: Xiao Liang <shaw.leon@gmail.com>
Cc: netfilter-devel@vger.kernel.org, Florian Westphal <fw@strlen.de>
Subject: Re: [PATCH nf] netfilter: nft_exthdr: Fix non-linear header modification
Date: Fri, 25 Aug 2023 05:11:10 +0200 [thread overview]
Message-ID: <20230825031110.GA9265@breakpoint.cc> (raw)
In-Reply-To: <20230825021432.6053-1-shaw.leon@gmail.com>
Xiao Liang <shaw.leon@gmail.com> wrote:
> nft_tcp_header_pointer() may copy TCP header if it's not linear.
> In that case, we should modify the packet rather than the buffer, after
> proper skb_ensure_writable().
Fixes: 99d1712bc41c ("netfilter: exthdr: tcp option set support")
I do not understand this changelog.
The bug is that skb_ensure_writable() size is too small, hence
nft_tcp_header_pointer() may return a pointer to local stack
buffer.
> Signed-off-by: Xiao Liang <shaw.leon@gmail.com>
> ---
> net/netfilter/nft_exthdr.c | 15 +++++++--------
> 1 file changed, 7 insertions(+), 8 deletions(-)
>
> diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
> index 7f856ceb3a66..2189ccc1119c 100644
> --- a/net/netfilter/nft_exthdr.c
> +++ b/net/netfilter/nft_exthdr.c
> @@ -254,13 +254,12 @@ static void nft_exthdr_tcp_set_eval(const struct nft_expr *expr,
> goto err;
>
> if (skb_ensure_writable(pkt->skb,
> - nft_thoff(pkt) + i + priv->len))
> + nft_thoff(pkt) + i + priv->offset +
> + priv->len))
[..]
> - tcph = nft_tcp_header_pointer(pkt, sizeof(buff), buff,
> - &tcphdr_len);
> - if (!tcph)
> - goto err;
> + tcph = (struct tcphdr *)(pkt->skb->data + nft_thoff(pkt));
> + opt = (u8 *)tcph;
This modification is not related to the bug?
If you think this is better, then please say that the 'do not use
nft_tcp_header_pointer' is an unrelated cleanup in the commit message.
But I would prefer to not mix functional and non-functional changes.
Also, the use of the nft_tcp_header_pointer() helper is the reason why
this doesn't result in memory corruption.
> @@ -325,9 +324,9 @@ static void nft_exthdr_tcp_strip_eval(const struct nft_expr *expr,
> if (skb_ensure_writable(pkt->skb, nft_thoff(pkt) + tcphdr_len))
Just use the above in nft_exthdr_tcp_set_eval and place it before the loop?
next prev parent reply other threads:[~2023-08-25 3:11 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-25 2:14 [PATCH nf] netfilter: nft_exthdr: Fix non-linear header modification Xiao Liang
2023-08-25 3:11 ` Florian Westphal [this message]
2023-08-25 3:23 ` Xiao Liang
2023-08-25 3:34 ` Xiao Liang
2023-08-25 3:52 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230825031110.GA9265@breakpoint.cc \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=shaw.leon@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.