[PATCH net 8/9] netfilter: bridge: make ebt_snat ARP rewrite writable

Netdev List
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org,
	pabeni@redhat.com, edumazet@google.com, fw@strlen.de,
	horms@kernel.org
Subject: [PATCH net 8/9] netfilter: bridge: make ebt_snat ARP rewrite writable
Date: Mon,  1 Jun 2026 13:59:22 +0200	[thread overview]
Message-ID: <20260601115923.433946-9-pablo@netfilter.org> (raw)
In-Reply-To: <20260601115923.433946-1-pablo@netfilter.org>

From: Yiming Qian <yimingqian591@gmail.com>

The ebtables SNAT target keeps the Ethernet source address rewrite
behind skb_ensure_writable(skb, 0).  This is intentional: at the bridge
ebtables hooks the Ethernet header is addressed through
skb_mac_header()/eth_hdr(), while skb->data points at the Ethernet
payload.  Asking skb_ensure_writable() for ETH_HLEN bytes would check
the payload, not the Ethernet header, and would reintroduce the small
packet regression fixed by commit 63137bc5882a.

However, the optional ARP sender hardware address rewrite is different.
It writes through skb_store_bits() at an offset relative to skb->data:

        skb_store_bits(skb, sizeof(struct arphdr), info->mac, ETH_ALEN)

skb_header_pointer() only safely reads the ARP header; it does not make
the later sender hardware address range writable.  If that range is
still held in a nonlinear skb fragment backed by a splice-imported file
page, skb_store_bits() maps the frag page and copies the new MAC address
directly into it.

Ensure the ARP SHA range is writable before reading the ARP header and
before calling skb_store_bits().

Fixes: 63137bc5882a ("netfilter: ebtables: Fixes dropping of small packets in bridge nat")
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Signed-off-by: Yiming Qian <yimingqian591@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/bridge/netfilter/ebt_snat.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/bridge/netfilter/ebt_snat.c b/net/bridge/netfilter/ebt_snat.c
index 7dfbcdfc30e5..c9e229af0366 100644
--- a/net/bridge/netfilter/ebt_snat.c
+++ b/net/bridge/netfilter/ebt_snat.c
@@ -31,6 +31,9 @@ ebt_snat_tg(struct sk_buff *skb, const struct xt_action_param *par)
 		const struct arphdr *ap;
 		struct arphdr _ah;

+		if (skb_ensure_writable(skb, sizeof(_ah) + ETH_ALEN))
+			return EBT_DROP;
+
 		ap = skb_header_pointer(skb, 0, sizeof(_ah), &_ah);
 		if (ap == NULL)
 			return EBT_DROP;
-- 
2.47.3

next prev parent reply	other threads:[~2026-06-01 11:59 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-01 11:59 [PATCH net 0/9] Netfilter/IPVS fixes for net Pablo Neira Ayuso
2026-06-01 11:59 ` [PATCH net 1/9] netfilter: xt_NFQUEUE: prefer raw_smp_processor_id Pablo Neira Ayuso
2026-06-01 11:59 ` [PATCH net 2/9] ipvs: clear the svc scheduler ptr early on edit Pablo Neira Ayuso
2026-06-01 11:59 ` [PATCH net 3/9] netfilter: nft_fib_ipv6: bail out of sibling walk if rt got unlinked Pablo Neira Ayuso
2026-06-01 11:59 ` [PATCH net 4/9] netfilter: synproxy: add mutex to guard hook reference counting Pablo Neira Ayuso
2026-06-01 11:59 ` [PATCH net 5/9] netfilter: conntrack_irc: fix possible out-of-bounds read Pablo Neira Ayuso
2026-06-01 11:59 ` [PATCH net 6/9] netfilter: nft_tunnel: fix use-after-free on object destroy Pablo Neira Ayuso
2026-06-01 11:59 ` [PATCH net 7/9] netfilter: nft_ct: bail out on template ct in get eval Pablo Neira Ayuso
2026-06-01 11:59 ` Pablo Neira Ayuso [this message]
2026-06-01 11:59 ` [PATCH net 9/9] netfilter: nft_byteorder: remove multi-register support Pablo Neira Ayuso

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:7dfbcdfc30e dfblob:c9e229af036 )
 OR (
bs:"[PATCH net 8/9] netfilter: bridge: make ebt_snat ARP rewrite writable" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260601115923.433946-9-pablo@netfilter.org \
    --to=pablo@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=fw@strlen.de \
    --cc=horms@kernel.org \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox