From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org,
pabeni@redhat.com, edumazet@google.com, fw@strlen.de,
horms@kernel.org
Subject: [PATCH net 03/14] netfilter: arp_tables: fix IEEE1394 ARP payload parsing in arp_packet_match()
Date: Thu, 16 Apr 2026 03:30:50 +0200 [thread overview]
Message-ID: <20260416013101.221555-4-pablo@netfilter.org> (raw)
In-Reply-To: <20260416013101.221555-1-pablo@netfilter.org>
From: Weiming Shi <bestswngs@gmail.com>
arp_packet_match() unconditionally parses the ARP payload assuming two
hardware addresses are present (source and target). However,
IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address
field, and arp_hdr_len() already accounts for this by returning a
shorter length for ARPHRD_IEEE1394 devices.
As a result, on IEEE1394 interfaces arp_packet_match() advances past a
nonexistent target hardware address and reads the wrong bytes for both
the target device address comparison and the target IP address. This
causes arptables rules to match against garbage data, leading to
incorrect filtering decisions: packets that should be accepted may be
dropped and vice versa.
The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already
handles this correctly by skipping the target hardware address for
ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match().
[ Pablo has mangled this patch to include Simon Horman's suggestions ]
Fixes: 6752c8db8e0c ("firewire net, ipv4 arp: Extend hardware address and remove driver-level packet inspection.")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/ipv4/netfilter/arp_tables.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 1cdd9c28ab2d..a7a56890b5b5 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -110,13 +110,21 @@ static inline int arp_packet_match(const struct arphdr *arphdr,
arpptr += dev->addr_len;
memcpy(&src_ipaddr, arpptr, sizeof(u32));
arpptr += sizeof(u32);
- tgt_devaddr = arpptr;
- arpptr += dev->addr_len;
+
+ if (IS_ENABLED(CONFIG_FIREWIRE_NET) && dev->type == ARPHRD_IEEE1394) {
+ tgt_devaddr = NULL;
+ } else {
+ tgt_devaddr = arpptr;
+ arpptr += dev->addr_len;
+ }
memcpy(&tgt_ipaddr, arpptr, sizeof(u32));
if (NF_INVF(arpinfo, ARPT_INV_SRCDEVADDR,
arp_devaddr_compare(&arpinfo->src_devaddr, src_devaddr,
- dev->addr_len)) ||
+ dev->addr_len)))
+ return 0;
+
+ if (tgt_devaddr &&
NF_INVF(arpinfo, ARPT_INV_TGTDEVADDR,
arp_devaddr_compare(&arpinfo->tgt_devaddr, tgt_devaddr,
dev->addr_len)))
--
2.47.3
next prev parent reply other threads:[~2026-04-16 1:31 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-16 1:30 [PATCH net 00/14] Netfilter/IPVS fixes for net Pablo Neira Ayuso
2026-04-16 1:30 ` [PATCH net 01/14] netfilter: nft_fwd_netdev: use recursion counter in neigh egress path Pablo Neira Ayuso
2026-04-16 1:30 ` [PATCH net 02/14] netfilter: nf_conntrack_sip: add bounds-checked port parsing helper Pablo Neira Ayuso
2026-04-16 1:30 ` Pablo Neira Ayuso [this message]
2026-04-16 1:30 ` [PATCH net 04/14] netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO Pablo Neira Ayuso
2026-04-16 1:30 ` [PATCH net 05/14] netfilter: nft_osf: restrict it to ipv4 Pablo Neira Ayuso
2026-04-16 1:30 ` [PATCH net 06/14] netfilter: nf_flow_table_ip: Introduce nf_flow_vlan_push() Pablo Neira Ayuso
2026-04-16 1:30 ` [PATCH net 07/14] netfilter: conntrack: remove sprintf usage Pablo Neira Ayuso
2026-04-16 1:30 ` [PATCH net 08/14] netfilter: xtables: restrict several matches to inet family Pablo Neira Ayuso
2026-04-16 1:30 ` [PATCH net 09/14] netfilter: nat: use kfree_rcu to release ops Pablo Neira Ayuso
2026-04-16 1:30 ` [PATCH net 10/14] ipvs: fix MTU check for GSO packets in tunnel mode Pablo Neira Ayuso
2026-04-16 1:30 ` [PATCH net 11/14] netfilter: nf_tables: use list_del_rcu for netlink hooks Pablo Neira Ayuso
2026-04-16 1:30 ` [PATCH net 12/14] rculist: add list_splice_rcu() for private lists Pablo Neira Ayuso
2026-04-16 1:31 ` [PATCH net 13/14] netfilter: nf_tables: join hook list via splice_list_rcu() in commit phase Pablo Neira Ayuso
2026-04-16 1:31 ` [PATCH net 14/14] netfilter: nf_tables: add hook transactions for device deletions Pablo Neira Ayuso
2026-04-16 11:36 ` Paolo Abeni
2026-04-16 7:25 ` [PATCH net 00/14] Netfilter/IPVS fixes for net Pablo Neira Ayuso
2026-04-16 10:20 ` Pablo Neira Ayuso
2026-04-16 10:40 ` Florian Westphal
2026-04-16 12:49 ` Fernando Fernandez Mancera
2026-04-16 13:14 ` Florian Westphal
2026-04-16 13:37 ` Fernando Fernandez Mancera
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260416013101.221555-4-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox