From: Florian Westphal <fw@strlen.de>
To: Siho Lee <25esihoya@gmail.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
netfilter-devel@vger.kernel.org, netdev@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH net] netfilter: nft_payload: move offset bounds check outside csum condition
Date: Thu, 28 May 2026 16:12:26 +0200 [thread overview]
Message-ID: <ahhNSscKHjx7bebv@strlen.de> (raw)
In-Reply-To: <CAOYEF6nf5-B-P7DHf_cpLaqUSoZC2FJphBqE2s4zE8MygMCb_g@mail.gmail.com>
Siho Lee <25esihoya@gmail.com> wrote:
> From 574604a1b4a98ee130d7f727ad3c8a7df3f3b6f1 Mon Sep 17 00:00:00 2001
> From: Siho Lee <25esihoya@gmail.com>
> Date: Thu, 28 May 2026 22:39:03 +0900
> Subject: [PATCH v1] netfilter: nft_payload: move offset bounds check outside
> csum condition
>
> The bounds check for offset + priv->len was placed inside the csum
> condition block. When csum_type is NFT_PAYLOAD_CSUM_NONE and
> csum_flags is 0, the entire block including the bounds check is
> skipped.
>
> For NFT_PAYLOAD_LL_HEADER, offset is computed as:
> offset = skb_mac_header(skb) - skb->data - vlan_hlen
> which evaluates to -14 (or -18 with VLAN) after eth_type_trans()
> pulls the Ethernet header.
>
> Without the bounds check, a negative offset reaches:
> skb_ensure_writable(skb, max(offset + priv->len, 0))
> skb_store_bits(skb, offset, src, priv->len)
>
> max(-14 + 4, 0) == 0 makes skb_ensure_writable a no-op, and
> skb_store_bits(skb, -14, ...) writes to skb headroom (OOB write).
>
> The signed-unsigned comparison in the bounds check correctly catches
> negative offsets: (unsigned int)(-10) is a large positive value that
> exceeds any valid skb->len.
>
> Move the bounds check outside the csum condition so it applies
> regardless of csum_type/csum_flags.
This breaks link layer update support.
# cd git/nftables/tests/shell
# NFT=nft ./run-tests.sh testcases/packetpath/bridge_pass_up C
W: [FAILED] 1/1 testcases/packetpath/bridge_pass_up
next prev parent reply other threads:[~2026-05-28 14:12 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-28 13:39 [PATCH net] netfilter: nft_payload: move offset bounds check outside csum condition Siho Lee
2026-05-28 14:12 ` Florian Westphal [this message]
2026-05-28 15:28 ` [PATCH v2 net] netfilter: nft_payload: validate offset for all csum_type paths Siho Lee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ahhNSscKHjx7bebv@strlen.de \
--to=fw@strlen.de \
--cc=25esihoya@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.