From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org,
pabeni@redhat.com, edumazet@google.com, fw@strlen.de,
horms@kernel.org
Subject: [PATCH net 6/8] netfilter: nft_exthdr: fix register tracking for F_PRESENT flag
Date: Wed, 10 Jun 2026 18:16:26 +0200 [thread overview]
Message-ID: <20260610161629.214092-7-pablo@netfilter.org> (raw)
In-Reply-To: <20260610161629.214092-1-pablo@netfilter.org>
From: Florian Westphal <fw@strlen.de>
nft_exthdr_init() passes user-controlled priv->len to
nft_parse_register_store(), which marks that many bytes in the
register bitmap as initialized. However, when NFT_EXTHDR_F_PRESENT
is set, the eval paths write only 1 byte (nft_reg_store8) or
4 bytes (*dest = 0 on TCP/DCCP error path). When len > 4,
registers beyond the first are never written, retaining
uninitialized stack data from nft_regs.
Bail out if userspace requests too much data when F_PRESENT is set.
Reported-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
Fixes: c078ca3b0c5b ("netfilter: nft_exthdr: Add support for existence check")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_exthdr.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
index e6a07c0df207..d3fc7969f123 100644
--- a/net/netfilter/nft_exthdr.c
+++ b/net/netfilter/nft_exthdr.c
@@ -532,6 +532,9 @@ static int nft_exthdr_init(const struct nft_ctx *ctx,
return err;
}
+ if ((flags & NFT_EXTHDR_F_PRESENT) && len != 1)
+ return -EINVAL;
+
priv->type = nla_get_u8(tb[NFTA_EXTHDR_TYPE]);
priv->offset = offset;
priv->len = len;
--
2.47.3
next prev parent reply other threads:[~2026-06-10 16:16 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-10 16:16 [PATCH net 0/8] Netfilter fixes for net Pablo Neira Ayuso
2026-06-10 16:16 ` [PATCH net 1/8] netfilter: revalidate bridge ports Pablo Neira Ayuso
2026-06-11 10:40 ` patchwork-bot+netdevbpf
2026-06-10 16:16 ` [PATCH net 2/8] netfilter: nf_tables_offload: drop device refcount on error Pablo Neira Ayuso
2026-06-10 16:16 ` [PATCH net 3/8] netfilter: nf_conntrack: destroy stale expectfn expectations on unregister Pablo Neira Ayuso
2026-06-10 16:16 ` [PATCH net 4/8] netfilter: x_tables: avoid leaking percpu counter pointers Pablo Neira Ayuso
2026-06-10 16:16 ` [PATCH net 5/8] netfilter: nf_log: validate MAC header was set before dumping it Pablo Neira Ayuso
2026-06-10 16:16 ` Pablo Neira Ayuso [this message]
2026-06-10 16:16 ` [PATCH net 7/8] netfilter: nft_fib: fix stale stack leak via the OIFNAME register Pablo Neira Ayuso
2026-06-10 16:16 ` [PATCH net 8/8] netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260610161629.214092-7-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.