From: Florian Westphal <fw@strlen.de>
To: Fernando Fernandez Mancera <fmancera@suse.de>
Cc: netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
pablo@netfilter.org, phil@nwl.cc
Subject: Re: [PATCH 4/4 nf v2] netfilter: synproxy: fix possible write to stale pointer
Date: Mon, 25 May 2026 20:59:05 +0200 [thread overview]
Message-ID: <ahSb-UU8n9o1aHoI@strlen.de> (raw)
In-Reply-To: <df64cebb-1279-4e66-afa7-3d8ffca4928f@suse.de>
Fernando Fernandez Mancera <fmancera@suse.de> wrote:
> On 5/25/26 2:44 PM, Fernando Fernandez Mancera wrote:
> > skb_ensure_writable() is called to guarantee that the TCP options area
> > can be safely modified when adjusting the timestamp. As it expands or
> > linearize the skb head it might reallocate the data buffer.
> >
> > This makes the th pointer passed by the caller stale. The following
> > writes to the TCP header might be done to a stale pointer.
> >
> > Recalculating the th pointer after skb_ensure_writable() prevents this
> > issue from happening.
> >
> > Fixes: 48b1de4c110a ("netfilter: add SYNPROXY core/target")
> > Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
>
> LOL. I just realized I already reviewed this at:
>
> https://lore.kernel.org/netfilter-devel/20260522104257.2008-3-fw@strlen.de/T/#u
>
> *facepalm* sorry for the noise, Florian could you ignore this patch but
> consider the other 3 fixes?
I know its tiresome, but would you mind sending a new version that also
fixes up the other things pointed out by sashiko?
https://sashiko.dev/#/patchset/20260525124450.6043-1-fmancera%40suse.de
In particular, seqadj and concurrent registration. As these bugs aren't
as severe as patch 4, I think nf-next would be fine as well.
next prev parent reply other threads:[~2026-05-25 18:59 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-25 12:44 [PATCH 0/4 nf v2] netfilter: synproxy: timestamp adjustment fixes Fernando Fernandez Mancera
2026-05-25 12:44 ` [PATCH 1/4 nf v2] netfilter: synproxy: drop packets if timestamp adjustment fails Fernando Fernandez Mancera
2026-05-25 12:44 ` [PATCH 2/4 nf v2] netfilter: synproxy: adjust duplicate timestamp options Fernando Fernandez Mancera
2026-05-25 12:44 ` [PATCH 3/4 nf v2] netfilter: synproxy: fix unaligned memory access in timestamp adjustment Fernando Fernandez Mancera
2026-05-25 12:44 ` [PATCH 4/4 nf v2] netfilter: synproxy: fix possible write to stale pointer Fernando Fernandez Mancera
2026-05-25 13:45 ` Fernando Fernandez Mancera
2026-05-25 18:59 ` Florian Westphal [this message]
2026-05-25 19:02 ` Fernando Fernandez Mancera
2026-05-26 10:12 ` Fernando Fernandez Mancera
2026-05-26 13:05 ` Florian Westphal
2026-05-26 13:12 ` Fernando Fernandez Mancera
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ahSb-UU8n9o1aHoI@strlen.de \
--to=fw@strlen.de \
--cc=coreteam@netfilter.org \
--cc=fmancera@suse.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.