[PATCH] netfilter: xt_HL: add pr_fmt, default case and NULL checks

[PATCH] netfilter: xt_HL: add pr_fmt, default case and NULL checks

[Marino Dzalto]

Signed-off-by: Marino Dzalto <marino.dzalto@gmail.com>
---
 net/netfilter/xt_hl.c | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/net/netfilter/xt_hl.c b/net/netfilter/xt_hl.c
index c1a70f8f0..9434d5ca8 100644
--- a/net/netfilter/xt_hl.c
+++ b/net/netfilter/xt_hl.c
@@ -6,6 +6,7 @@
  * Hop Limit matching module
  * (C) 2001-2002 Maciej Soltysiak <solt@dns.toxicfilms.tv>
  */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 
 #include <linux/ip.h>
 #include <linux/ipv6.h>
@@ -25,7 +26,12 @@ MODULE_ALIAS("ip6t_hl");
 static bool ttl_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct ipt_ttl_info *info = par->matchinfo;
-	const u8 ttl = ip_hdr(skb)->ttl;
+	const u8 ttl;
+
+	if (!skb)
+		return false;
+
+	ttl = ip_hdr(skb)->ttl;
 
 	switch (info->mode) {
 	case IPT_TTL_EQ:
@@ -36,15 +42,21 @@ static bool ttl_mt(const struct sk_buff *skb, struct xt_action_param *par)
 		return ttl < info->ttl;
 	case IPT_TTL_GT:
 		return ttl > info->ttl;
+	default:
+		pr_warn("Unknown TTL match mode: %d\n", info->mode);
+		return false;
 	}
-
-	return false;
 }
 
 static bool hl_mt6(const struct sk_buff *skb, struct xt_action_param *par)
 {
 	const struct ip6t_hl_info *info = par->matchinfo;
-	const struct ipv6hdr *ip6h = ipv6_hdr(skb);
+	const struct ipv6hdr *ip6h;
+
+	if (!skb)
+		return false;
+
+	ip6h = ipv6_hdr(skb);
 
 	switch (info->mode) {
 	case IP6T_HL_EQ:
@@ -55,9 +67,10 @@ static bool hl_mt6(const struct sk_buff *skb, struct xt_action_param *par)
 		return ip6h->hop_limit < info->hop_limit;
 	case IP6T_HL_GT:
 		return ip6h->hop_limit > info->hop_limit;
+	default:
+		pr_warn("Unknown Hop Limit match mode: %d\n", info->mode);
+		return false;
 	}
-
-	return false;
 }
 
 static struct xt_match hl_mt_reg[] __read_mostly = {
-- 
2.50.1 (Apple Git-155)

Re: [PATCH] netfilter: xt_HL: add pr_fmt, default case and NULL checks

[Florian Westphal]

Marino Dzalto <marino.dzalto@gmail.com> wrote:
> Signed-off-by: Marino Dzalto <marino.dzalto@gmail.com>
> ---
>  net/netfilter/xt_hl.c | 25 +++++++++++++++++++------
>  1 file changed, 19 insertions(+), 6 deletions(-)
> 
> diff --git a/net/netfilter/xt_hl.c b/net/netfilter/xt_hl.c
> index c1a70f8f0..9434d5ca8 100644
> --- a/net/netfilter/xt_hl.c
> +++ b/net/netfilter/xt_hl.c
> @@ -6,6 +6,7 @@
>   * Hop Limit matching module
>   * (C) 2001-2002 Maciej Soltysiak <solt@dns.toxicfilms.tv>
>   */
> +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
>  
>  #include <linux/ip.h>
>  #include <linux/ipv6.h>
> @@ -25,7 +26,12 @@ MODULE_ALIAS("ip6t_hl");
>  static bool ttl_mt(const struct sk_buff *skb, struct xt_action_param *par)
>  {
>  	const struct ipt_ttl_info *info = par->matchinfo;
> -	const u8 ttl = ip_hdr(skb)->ttl;
> +	const u8 ttl;
> +
> +	if (!skb)
> +		return false;

If this was NULL we'd have crashed already.

>  	case IPT_TTL_GT:
>  		return ttl > info->ttl;
> +	default:
> +		pr_warn("Unknown TTL match mode: %d\n", info->mode);
> +		return false;

Please add a .checkentry function and reject this from there.

Re: [PATCH] netfilter: xt_HL: add pr_fmt, default case and NULL checks

[Pablo Neira Ayuso]

On Fri, Apr 03, 2026 at 09:39:29PM +0200, Marino Dzalto wrote:
> diff --git a/net/netfilter/xt_hl.c b/net/netfilter/xt_hl.c
> index c1a70f8f0..9434d5ca8 100644
> --- a/net/netfilter/xt_hl.c
> +++ b/net/netfilter/xt_hl.c
[...]
>  static bool hl_mt6(const struct sk_buff *skb, struct xt_action_param *par)
>  {
>  	const struct ip6t_hl_info *info = par->matchinfo;
> -	const struct ipv6hdr *ip6h = ipv6_hdr(skb);
> +	const struct ipv6hdr *ip6h;
> +
> +	if (!skb)
> +		return false;

No skb !?

This codebase is frozen, I don't see any benefit in this update.