From: Florian Westphal <fw@strlen.de>
To: <netdev@vger.kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
<netfilter-devel@vger.kernel.org>,
pablo@netfilter.org
Subject: [PATCH net 02/11] netfilter: conntrack: add missing netlink policy validations
Date: Fri, 13 Mar 2026 16:06:05 +0100 [thread overview]
Message-ID: <20260313150614.21177-3-fw@strlen.de> (raw)
In-Reply-To: <20260313150614.21177-1-fw@strlen.de>
Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink.
These attributes are used by the kernel without any validation.
Extend the netlink policies accordingly.
Quoting the reporter:
nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE
value directly to ct->proto.sctp.state without checking that it is
within the valid range. [..]
and: ... with exp->dir = 100, the access at
ct->master->tuplehash[100] reads 5600 bytes past the start of a
320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by
UBSAN.
Fixes: 076a0ca02644 ("netfilter: ctnetlink: add NAT support for expectations")
Fixes: a258860e01b8 ("netfilter: ctnetlink: add full support for SCTP to ctnetlink")
Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/netfilter/nf_conntrack_netlink.c | 2 +-
net/netfilter/nf_conntrack_proto_sctp.c | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 65aa44a12d01..c156574e1273 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -3489,7 +3489,7 @@ ctnetlink_change_expect(struct nf_conntrack_expect *x,
#if IS_ENABLED(CONFIG_NF_NAT)
static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = {
- [CTA_EXPECT_NAT_DIR] = { .type = NLA_U32 },
+ [CTA_EXPECT_NAT_DIR] = NLA_POLICY_MAX(NLA_BE32, IP_CT_DIR_REPLY),
[CTA_EXPECT_NAT_TUPLE] = { .type = NLA_NESTED },
};
#endif
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 7c6f7c9f7332..645d2c43ebf7 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -582,7 +582,8 @@ static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
}
static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
- [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 },
+ [CTA_PROTOINFO_SCTP_STATE] = NLA_POLICY_MAX(NLA_U8,
+ SCTP_CONNTRACK_HEARTBEAT_SENT),
[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 },
[CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 },
};
--
2.52.0
next prev parent reply other threads:[~2026-03-13 15:06 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-13 15:06 [PATCH net 00/11] netfilter: updates for net Florian Westphal
2026-03-13 15:06 ` [PATCH net 01/11] netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() Florian Westphal
2026-03-14 16:20 ` patchwork-bot+netdevbpf
2026-03-13 15:06 ` Florian Westphal [this message]
2026-03-13 15:06 ` [PATCH net 03/11] netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp() Florian Westphal
2026-03-13 15:06 ` [PATCH net 04/11] netfilter: revert nft_set_rbtree: validate open interval overlap Florian Westphal
2026-03-16 8:14 ` [PATCH net 04/11] netfilter: revert nft_set_rbtree: validate open interval overlap: manual merge Matthieu Baerts
2026-03-13 15:06 ` [PATCH net 05/11] netfilter: nf_flow_table_ip: reset mac header before vlan push Florian Westphal
2026-03-13 15:06 ` [PATCH net 06/11] netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case Florian Westphal
2026-03-14 16:12 ` [net,06/11] " Jakub Kicinski
2026-03-14 18:31 ` Florian Westphal
2026-03-14 22:16 ` Guanni Qu
2026-03-15 1:23 ` Jakub Kicinski
2026-03-13 15:06 ` [PATCH net 07/11] nf_tables: nft_dynset: fix possible stateful expression memleak in error path Florian Westphal
2026-03-13 15:06 ` [PATCH net 08/11] netfilter: nft_ct: drop pending enqueued packets on removal Florian Westphal
2026-03-13 15:06 ` [PATCH net 09/11] netfilter: xt_CT: drop pending enqueued packets on template removal Florian Westphal
2026-03-13 15:06 ` [PATCH net 10/11] netfilter: xt_time: use unsigned int for monthday bit shift Florian Westphal
2026-03-13 15:06 ` [PATCH net 11/11] netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260313150614.21177-3-fw@strlen.de \
--to=fw@strlen.de \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox