From: Florian Westphal <fw@strlen.de>
To: David Carlier <devnexen@gmail.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
Phil Sutter <phil@nwl.cc>, Eric Dumazet <edumazet@google.com>,
netdev@vger.kernel.org
Subject: Re: [PATCH] netfilter: conntrack: clamp TCP window scale to TCP_MAX_WSCALE via ctnetlink
Date: Tue, 24 Mar 2026 17:37:01 +0100 [thread overview]
Message-ID: <acK9rdPQNqwejye9@strlen.de> (raw)
In-Reply-To: <20260324163033.310087-1-devnexen@gmail.com>
David Carlier <devnexen@gmail.com> wrote:
> The normal TCP option parsing path clamps td_scale to TCP_MAX_WSCALE
> (14), but the ctnetlink path (nlattr_to_tcp) accepts any u8 value
> (0-255). This td_scale is then used as a shift count for u32 values,
> causing undefined behavior when >= 32.
>
> Use NLA_POLICY_MAX in the netlink policy to reject values exceeding
> TCP_MAX_WSCALE at parse time, consistent with how commit f900e1d77ee0
> ("netfilter: conntrack: add missing validation of SCTP netlink
> attributes") addressed similar missing validations.
>
> Fixes: c8e2078cfe41 ("[NETFILTER]: ctnetlink: add support for internal tcp connection tracking flags handling")
> Signed-off-by: David Carlier <devnexen@gmail.com>
> ---
> net/netfilter/nf_conntrack_proto_tcp.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
> index 0c1d086e96cb..7d364337d71e 100644
> --- a/net/netfilter/nf_conntrack_proto_tcp.c
> +++ b/net/netfilter/nf_conntrack_proto_tcp.c
> @@ -1386,8 +1386,8 @@ static int tcp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
>
> static const struct nla_policy tcp_nla_policy[CTA_PROTOINFO_TCP_MAX+1] = {
> [CTA_PROTOINFO_TCP_STATE] = { .type = NLA_U8 },
> - [CTA_PROTOINFO_TCP_WSCALE_ORIGINAL] = { .type = NLA_U8 },
> - [CTA_PROTOINFO_TCP_WSCALE_REPLY] = { .type = NLA_U8 },
> + [CTA_PROTOINFO_TCP_WSCALE_ORIGINAL] = NLA_POLICY_MAX(NLA_U8, TCP_MAX_WSCALE),
> + [CTA_PROTOINFO_TCP_WSCALE_REPLY] = NLA_POLICY_MAX(NLA_U8, TCP_MAX_WSCALE),
> [CTA_PROTOINFO_TCP_FLAGS_ORIGINAL] = { .len = sizeof(struct nf_ct_tcp_flags) },
> [CTA_PROTOINFO_TCP_FLAGS_REPLY] = { .len = sizeof(struct nf_ct_tcp_flags) },
Makes sense, but I would prefer to update everything in one go, as in
this pending patch:
https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git/commit/?h=testing&id=3b77a876d9b980daf27f0fd70eaa7344db7c36a7
next prev parent reply other threads:[~2026-03-24 16:37 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-24 16:30 [PATCH] netfilter: conntrack: clamp TCP window scale to TCP_MAX_WSCALE via ctnetlink David Carlier
2026-03-24 16:37 ` Florian Westphal [this message]
2026-03-24 16:43 ` David CARLIER
2026-03-24 16:50 ` Florian Westphal
2026-03-24 17:12 ` [PATCH] netfilter: ctnetlink: use netlink policy range checks David Carlier
2026-03-26 15:30 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=acK9rdPQNqwejye9@strlen.de \
--to=fw@strlen.de \
--cc=devnexen@gmail.com \
--cc=edumazet@google.com \
--cc=netdev@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.