From: Eric Woudstra <ericwouds@gmail.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>,
Jozsef Kadlecsik <kadlec@netfilter.org>,
Florian Westphal <fw@strlen.de>, Phil Sutter <phil@nwl.cc>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
Nikolay Aleksandrov <razor@blackwall.org>,
Ido Schimmel <idosch@nvidia.com>
Cc: netfilter-devel@vger.kernel.org, netdev@vger.kernel.org,
bridge@lists.linux.dev, Eric Woudstra <ericwouds@gmail.com>
Subject: [PATCH v17 nf-next 1/4] netfilter: utils: nf_checksum(_partial) correct data!=networkheader
Date: Sun, 9 Nov 2025 20:24:24 +0100 [thread overview]
Message-ID: <20251109192427.617142-2-ericwouds@gmail.com> (raw)
In-Reply-To: <20251109192427.617142-1-ericwouds@gmail.com>
In the conntrack hook it may not always be the case that:
skb_network_header(skb) == skb->data, i.e. skb_network_offset(skb)
is zero.
This is problematic when L4 function nf_conntrack_handle_packet()
is accessing L3 data. This function uses thoff and ip_hdr()
to finds it's data. But it also calculates the checksum.
nf_checksum() and nf_checksum_partial() both use lower skb-checksum
functions that are based on using skb->data.
Adjust for skb_network_offset(skb), so that the checksum is calculated
correctly.
Signed-off-by: Eric Woudstra <ericwouds@gmail.com>
---
net/netfilter/utils.c | 28 ++++++++++++++++++++++------
1 file changed, 22 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c
index 008419db815a..7b33fe63c5fa 100644
--- a/net/netfilter/utils.c
+++ b/net/netfilter/utils.c
@@ -124,16 +124,25 @@ __sum16 nf_checksum(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, u8 protocol,
unsigned short family)
{
+ unsigned int nhpull = skb_network_offset(skb);
__sum16 csum = 0;
+ if (WARN_ON(!skb_pointer_if_linear(skb, nhpull, 0)))
+ return 0;
+
+ /* pull/push because the lower csum functions assume that
+ * skb_network_offset(skb) is zero.
+ */
+ __skb_pull(skb, nhpull);
switch (family) {
case AF_INET:
- csum = nf_ip_checksum(skb, hook, dataoff, protocol);
+ csum = nf_ip_checksum(skb, hook, dataoff - nhpull, protocol);
break;
case AF_INET6:
- csum = nf_ip6_checksum(skb, hook, dataoff, protocol);
+ csum = nf_ip6_checksum(skb, hook, dataoff - nhpull, protocol);
break;
}
+ __skb_push(skb, nhpull);
return csum;
}
@@ -143,18 +152,25 @@ __sum16 nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, unsigned int len,
u8 protocol, unsigned short family)
{
+ unsigned int nhpull = skb_network_offset(skb);
__sum16 csum = 0;
+ if (WARN_ON(!skb_pointer_if_linear(skb, nhpull, 0)))
+ return 0;
+
+ /* See nf_checksum() */
+ __skb_pull(skb, nhpull);
switch (family) {
case AF_INET:
- csum = nf_ip_checksum_partial(skb, hook, dataoff, len,
- protocol);
+ csum = nf_ip_checksum_partial(skb, hook, dataoff - nhpull,
+ len, protocol);
break;
case AF_INET6:
- csum = nf_ip6_checksum_partial(skb, hook, dataoff, len,
- protocol);
+ csum = nf_ip6_checksum_partial(skb, hook, dataoff - nhpull,
+ len, protocol);
break;
}
+ __skb_push(skb, nhpull);
return csum;
}
--
2.50.0
next prev parent reply other threads:[~2025-11-09 19:24 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-09 19:24 [PATCH v17 nf-next 0/4] conntrack: bridge: add double vlan, pppoe and pppoe-in-q Eric Woudstra
2025-11-09 19:24 ` Eric Woudstra [this message]
2026-02-08 23:52 ` [PATCH v17 nf-next 1/4] netfilter: utils: nf_checksum(_partial) correct data!=networkheader Florian Westphal
2025-11-09 19:24 ` [PATCH v17 nf-next 2/4] netfilter: bridge: Add conntrack double vlan and pppoe Eric Woudstra
2025-11-09 19:24 ` [PATCH v17 nf-next 3/4] netfilter: nft_set_pktinfo_ipv4/6_validate: Add nhoff argument Eric Woudstra
2025-11-09 19:24 ` [PATCH v17 nf-next 4/4] netfilter: nft_chain_filter: Add bridge double vlan and pppoe Eric Woudstra
2026-01-25 16:25 ` Eric Woudstra
2026-02-08 23:55 ` Florian Westphal
2026-01-06 19:55 ` [PATCH v17 nf-next 0/4] conntrack: bridge: add double vlan, pppoe and pppoe-in-q Eric Woudstra
2026-01-28 15:54 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251109192427.617142-2-ericwouds@gmail.com \
--to=ericwouds@gmail.com \
--cc=bridge@lists.linux.dev \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=horms@kernel.org \
--cc=idosch@nvidia.com \
--cc=kadlec@netfilter.org \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
--cc=razor@blackwall.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.