* [PATCH nf v2] netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
@ 2026-04-14 22:14 Xiang Mei
2026-04-15 8:19 ` Fernando Fernandez Mancera
2026-04-15 9:29 ` Pablo Neira Ayuso
0 siblings, 2 replies; 4+ messages in thread
From: Xiang Mei @ 2026-04-14 22:14 UTC (permalink / raw)
To: netfilter-devel
Cc: Pablo Neira Ayuso, Florian Westphal, Phil Sutter, coreteam,
Weiming Shi, Xiang Mei
nf_osf_match_one() computes ctx->window % f->wss.val in the
OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A
CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a
subsequent matching TCP SYN divides by zero and panics the kernel.
Reject the bogus fingerprint in nfnl_osf_add_callback() above the
per-option for-loop. f->wss is per-fingerprint, not per-option, so
the check must run regardless of f->opt_num (including 0). Also
reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that
as "should not happen".
Crash:
Oops: divide error: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)
Call Trace:
<IRQ>
nf_osf_match (net/netfilter/nfnetlink_osf.c:220)
xt_osf_match_packet (net/netfilter/xt_osf.c:32)
ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)
nf_hook_slow (net/netfilter/core.c:622)
ip_local_deliver (net/ipv4/ip_input.c:265)
ip_rcv (include/linux/skbuff.h:1162)
__netif_receive_skb_one_core (net/core/dev.c:6181)
process_backlog (net/core/dev.c:6642)
__napi_poll (net/core/dev.c:7710)
net_rx_action (net/core/dev.c:7945)
handle_softirqs (kernel/softirq.c:622)
Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Suggested-by: Florian Westphal <fw@strlen.de>
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Xiang Mei <xmei5@asu.edu>
---
v2: Fix the bug in configure path and correct the fix tag
net/netfilter/nfnetlink_osf.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
index 45d9ad231..70172ca07 100644
--- a/net/netfilter/nfnetlink_osf.c
+++ b/net/netfilter/nfnetlink_osf.c
@@ -320,6 +320,10 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
if (f->opt_num > ARRAY_SIZE(f->opt))
return -EINVAL;
+ if (f->wss.wc >= OSF_WSS_MAX ||
+ (f->wss.wc == OSF_WSS_MODULO && f->wss.val == 0))
+ return -EINVAL;
+
for (i = 0; i < f->opt_num; i++) {
if (!f->opt[i].length || f->opt[i].length > MAX_IPOPTLEN)
return -EINVAL;
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH nf v2] netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
2026-04-14 22:14 [PATCH nf v2] netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO Xiang Mei
@ 2026-04-15 8:19 ` Fernando Fernandez Mancera
2026-04-15 9:29 ` Pablo Neira Ayuso
1 sibling, 0 replies; 4+ messages in thread
From: Fernando Fernandez Mancera @ 2026-04-15 8:19 UTC (permalink / raw)
To: Xiang Mei, netfilter-devel
Cc: Pablo Neira Ayuso, Florian Westphal, Phil Sutter, coreteam,
Weiming Shi
On 4/15/26 12:14 AM, Xiang Mei wrote:
> nf_osf_match_one() computes ctx->window % f->wss.val in the
> OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A
> CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a
> subsequent matching TCP SYN divides by zero and panics the kernel.
>
> Reject the bogus fingerprint in nfnl_osf_add_callback() above the
> per-option for-loop. f->wss is per-fingerprint, not per-option, so
> the check must run regardless of f->opt_num (including 0). Also
> reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that
> as "should not happen".
>
> Crash:
> Oops: divide error: 0000 [#1] SMP KASAN NOPTI
> RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)
> Call Trace:
> <IRQ>
> nf_osf_match (net/netfilter/nfnetlink_osf.c:220)
> xt_osf_match_packet (net/netfilter/xt_osf.c:32)
> ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)
> nf_hook_slow (net/netfilter/core.c:622)
> ip_local_deliver (net/ipv4/ip_input.c:265)
> ip_rcv (include/linux/skbuff.h:1162)
> __netif_receive_skb_one_core (net/core/dev.c:6181)
> process_backlog (net/core/dev.c:6642)
> __napi_poll (net/core/dev.c:7710)
> net_rx_action (net/core/dev.c:7945)
> handle_softirqs (kernel/softirq.c:622)
>
> Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
> Reported-by: Weiming Shi <bestswngs@gmail.com>
> Suggested-by: Florian Westphal <fw@strlen.de>
> Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
> Signed-off-by: Xiang Mei <xmei5@asu.edu>
> ---
This looks good to me.
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
> v2: Fix the bug in configure path and correct the fix tag
>
> net/netfilter/nfnetlink_osf.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
> index 45d9ad231..70172ca07 100644
> --- a/net/netfilter/nfnetlink_osf.c
> +++ b/net/netfilter/nfnetlink_osf.c
> @@ -320,6 +320,10 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
> if (f->opt_num > ARRAY_SIZE(f->opt))
> return -EINVAL;
>
> + if (f->wss.wc >= OSF_WSS_MAX ||
> + (f->wss.wc == OSF_WSS_MODULO && f->wss.val == 0))
> + return -EINVAL;
> +
> for (i = 0; i < f->opt_num; i++) {
> if (!f->opt[i].length || f->opt[i].length > MAX_IPOPTLEN)
> return -EINVAL;
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH nf v2] netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
2026-04-14 22:14 [PATCH nf v2] netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO Xiang Mei
2026-04-15 8:19 ` Fernando Fernandez Mancera
@ 2026-04-15 9:29 ` Pablo Neira Ayuso
2026-04-15 9:55 ` Pablo Neira Ayuso
1 sibling, 1 reply; 4+ messages in thread
From: Pablo Neira Ayuso @ 2026-04-15 9:29 UTC (permalink / raw)
To: Xiang Mei
Cc: netfilter-devel, Florian Westphal, Phil Sutter, coreteam,
Weiming Shi
On Tue, Apr 14, 2026 at 03:14:01PM -0700, Xiang Mei wrote:
> nf_osf_match_one() computes ctx->window % f->wss.val in the
> OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A
> CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a
> subsequent matching TCP SYN divides by zero and panics the kernel.
>
> Reject the bogus fingerprint in nfnl_osf_add_callback() above the
> per-option for-loop. f->wss is per-fingerprint, not per-option, so
> the check must run regardless of f->opt_num (including 0). Also
> reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that
> as "should not happen".
>
> Crash:
> Oops: divide error: 0000 [#1] SMP KASAN NOPTI
> RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)
> Call Trace:
> <IRQ>
> nf_osf_match (net/netfilter/nfnetlink_osf.c:220)
> xt_osf_match_packet (net/netfilter/xt_osf.c:32)
> ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)
> nf_hook_slow (net/netfilter/core.c:622)
> ip_local_deliver (net/ipv4/ip_input.c:265)
> ip_rcv (include/linux/skbuff.h:1162)
> __netif_receive_skb_one_core (net/core/dev.c:6181)
> process_backlog (net/core/dev.c:6642)
> __napi_poll (net/core/dev.c:7710)
> net_rx_action (net/core/dev.c:7945)
> handle_softirqs (kernel/softirq.c:622)
>
> Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
> Reported-by: Weiming Shi <bestswngs@gmail.com>
> Suggested-by: Florian Westphal <fw@strlen.de>
> Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
> Signed-off-by: Xiang Mei <xmei5@asu.edu>
> ---
> v2: Fix the bug in configure path and correct the fix tag
>
> net/netfilter/nfnetlink_osf.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
> index 45d9ad231..70172ca07 100644
> --- a/net/netfilter/nfnetlink_osf.c
> +++ b/net/netfilter/nfnetlink_osf.c
> @@ -320,6 +320,10 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
> if (f->opt_num > ARRAY_SIZE(f->opt))
> return -EINVAL;
>
> + if (f->wss.wc >= OSF_WSS_MAX ||
> + (f->wss.wc == OSF_WSS_MODULO && f->wss.val == 0))
> + return -EINVAL;
Maybe, more explicit, it is more lengthy but cristal clear:
diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
index e8069f4e139b..357453e8c147 100644
--- a/net/netfilter/nfnetlink_osf.c
+++ b/net/netfilter/nfnetlink_osf.c
@@ -329,6 +329,19 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
if (f->opt[i].kind == OSFOPT_MSS && f->opt[i].length < 4)
return -EINVAL;
+ switch (f->wss.wc) {
+ case OSF_WSS_PLAIN:
+ case OSF_WSS_MSS:
+ case OSF_WSS_MTU:
+ break;
+ case OSF_WSS_MODULO:
+ if (f->wss.val == 0)
+ return -EINVAL;
+ break;
+ default:
+ return -EINVAL;
+ }
+
tot_opt_len += f->opt[i].length;
if (tot_opt_len > MAX_IPOPTLEN)
return -EINVAL;
> +
> for (i = 0; i < f->opt_num; i++) {
> if (!f->opt[i].length || f->opt[i].length > MAX_IPOPTLEN)
> return -EINVAL;
> --
> 2.43.0
>
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH nf v2] netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
2026-04-15 9:29 ` Pablo Neira Ayuso
@ 2026-04-15 9:55 ` Pablo Neira Ayuso
0 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2026-04-15 9:55 UTC (permalink / raw)
To: Xiang Mei
Cc: netfilter-devel, Florian Westphal, Phil Sutter, coreteam,
Weiming Shi
On Wed, Apr 15, 2026 at 11:29:06AM +0200, Pablo Neira Ayuso wrote:
> On Tue, Apr 14, 2026 at 03:14:01PM -0700, Xiang Mei wrote:
> > nf_osf_match_one() computes ctx->window % f->wss.val in the
> > OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A
> > CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a
> > subsequent matching TCP SYN divides by zero and panics the kernel.
> >
> > Reject the bogus fingerprint in nfnl_osf_add_callback() above the
> > per-option for-loop. f->wss is per-fingerprint, not per-option, so
> > the check must run regardless of f->opt_num (including 0). Also
> > reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that
> > as "should not happen".
> >
> > Crash:
> > Oops: divide error: 0000 [#1] SMP KASAN NOPTI
> > RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)
> > Call Trace:
> > <IRQ>
> > nf_osf_match (net/netfilter/nfnetlink_osf.c:220)
> > xt_osf_match_packet (net/netfilter/xt_osf.c:32)
> > ipt_do_table (net/ipv4/netfilter/ip_tables.c:348)
> > nf_hook_slow (net/netfilter/core.c:622)
> > ip_local_deliver (net/ipv4/ip_input.c:265)
> > ip_rcv (include/linux/skbuff.h:1162)
> > __netif_receive_skb_one_core (net/core/dev.c:6181)
> > process_backlog (net/core/dev.c:6642)
> > __napi_poll (net/core/dev.c:7710)
> > net_rx_action (net/core/dev.c:7945)
> > handle_softirqs (kernel/softirq.c:622)
> >
> > Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
> > Reported-by: Weiming Shi <bestswngs@gmail.com>
> > Suggested-by: Florian Westphal <fw@strlen.de>
> > Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
> > Signed-off-by: Xiang Mei <xmei5@asu.edu>
> > ---
> > v2: Fix the bug in configure path and correct the fix tag
> >
> > net/netfilter/nfnetlink_osf.c | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
> > index 45d9ad231..70172ca07 100644
> > --- a/net/netfilter/nfnetlink_osf.c
> > +++ b/net/netfilter/nfnetlink_osf.c
> > @@ -320,6 +320,10 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
> > if (f->opt_num > ARRAY_SIZE(f->opt))
> > return -EINVAL;
> >
> > + if (f->wss.wc >= OSF_WSS_MAX ||
> > + (f->wss.wc == OSF_WSS_MODULO && f->wss.val == 0))
> > + return -EINVAL;
>
> Maybe, more explicit, it is more lengthy but cristal clear:
Not really, this needs to be done out of loop as you do.
I'll take your patch, thanks!
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-04-15 9:55 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-14 22:14 [PATCH nf v2] netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO Xiang Mei
2026-04-15 8:19 ` Fernando Fernandez Mancera
2026-04-15 9:29 ` Pablo Neira Ayuso
2026-04-15 9:55 ` Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.