Re: [PATCH] netfilter: nfnetlink_cthelper: fix expect policy update copying only first class values to all classes

[Pablo Neira Ayuso <pablo@netfilter.org>]

On Mon, Apr 13, 2026 at 04:48:22PM +0800, Dudu Lu wrote:
> In nfnl_cthelper_update_policy_all(), when updating the expect policies
> of a multi-class conntrack helper, the loop iterates over all expect
> classes but always reads from new_policy[0] instead of new_policy[i]:
> 
>     for (i = 0; i < helper->expect_class_max + 1; i++) {
>         policy = &helper->expect_policy[i];
>         policy->max_expected = new_policy->max_expected;  /* always [0] */
>         policy->timeout      = new_policy->timeout;       /* always [0] */
>     }
> 
> The new_policy array was correctly parsed per-class by
> nfnl_cthelper_update_policy_one() in the validation loop above (line
> 336-342), with each new_policy[i] holding its respective class values.
> However, the copy loop dereferences new_policy as a pointer
> (new_policy->x) rather than indexing it as an array
> (new_policy[i].x), creating a security vulnerability.
> 
> As a result, all expect classes of a multi-class helper get overwritten
> with the values of class 0, discarding the per-class differentiation.
> 
> This affects helpers like H.323 which use multiple expect classes
> (RTP, RTCP, T.120) with different max_expected and timeout values.
> After a policy update, all classes get identical limits, breaking the
> per-class expect enforcement.

Not really. Such helpers do not exists in userspace, and this is fully
userspace conntrack helper infrastructure.

This is nf-next material: I think no userspace helper is using more
than one single expectation class at this stage.

> Fix by indexing new_policy with the loop variable.
> 
> Fixes: 2c422257550f ("netfilter: nfnl_cthelper: fix runtime expectation policy updates")
> Signed-off-by: Dudu Lu <phx0fer@gmail.com>
> ---
>  net/netfilter/nfnetlink_cthelper.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
> index d545fa459455..1e605d77796d 100644
> --- a/net/netfilter/nfnetlink_cthelper.c
> +++ b/net/netfilter/nfnetlink_cthelper.c
> @@ -346,8 +346,8 @@ static int nfnl_cthelper_update_policy_all(struct nlattr *tb[],
>  	for (i = 0; i < helper->expect_class_max + 1; i++) {
>  		policy = (struct nf_conntrack_expect_policy *)
>  				&helper->expect_policy[i];
> -		policy->max_expected = new_policy->max_expected;
> -		policy->timeout	= new_policy->timeout;
> +		policy->max_expected = new_policy[i].max_expected;
> +		policy->timeout	= new_policy[i].timeout;
>  	}
>  
>  err:
> -- 
> 2.39.3 (Apple Git-145)
>