[PATCH v2 net] netfilter: nft_payload: validate offset for all csum_type paths

[PATCH v2 net] netfilter: nft_payload: validate offset for all csum_type paths

[Siho Lee]

From e11e35dfd10960ea8ca4258dfa6ed7aeb207179f Mon Sep 17 00:00:00 2001
From: Siho Lee <25esihoya@gmail.com>
Date: Fri, 29 May 2026 00:23:35 +0900
Subject: [PATCH v2] netfilter: nft_payload: validate offset for all csum_type
 paths

When csum_type is NFT_PAYLOAD_CSUM_NONE and csum_flags is 0, the
bounds check inside the csum condition block is skipped entirely.

For NFT_PAYLOAD_LL_HEADER, offset is computed as:
    offset = skb_mac_header(skb) - skb->data - vlan_hlen
which evaluates to -14 (or -18 with VLAN) after eth_type_trans()
pulls the Ethernet header. This is a valid negative offset that
refers to the Ethernet header area (used by bridge/vlan rules).

However, without any bounds check in the csum=NONE path:
- skb_ensure_writable(skb, max(offset + priv->len, 0)):
  max() converts negative values to 0, making it a no-op.
- skb_store_bits(skb, offset, src, priv->len):
  A negative offset that exceeds skb headroom writes out of bounds.

Add proper validation after the csum condition block:
- Negative offsets: ensure they fall within skb_headroom(skb)
  (bridge/vlan rules legitimately access the Ethernet header)
- Positive offsets: ensure offset + len does not exceed skb->len

Also remove the max() wrapper from skb_ensure_writable() since
the new validation guarantees the offset is within range.

Fixes: d5953d680f7e ("netfilter: nft_payload: sanitize offset and
length before calling skb_checksum()")
Cc: stable@vger.kernel.org
Signed-off-by: Siho Lee <25esihoya@gmail.com>
---
 net/netfilter/nft_payload.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
index 01e13e5255a9..2c891c13bbf5 100644
--- a/net/netfilter/nft_payload.c
+++ b/net/netfilter/nft_payload.c
@@ -892,7 +892,17 @@ static void nft_payload_set_eval(const struct
nft_expr *expr,
 			goto err;
 	}

-	if (skb_ensure_writable(skb, max(offset + priv->len, 0)) ||
+	/* Negative offset (LL_HEADER with bridge/vlan) must be within headroom.
+	 * Positive offset must be within skb length.
+	 */
+	if (offset < 0) {
+		if (-offset > (int)skb_headroom(skb))
+			goto err;
+	} else if (offset + priv->len > skb->len) {
+		goto err;
+	}
+
+	if (skb_ensure_writable(skb, offset + priv->len) ||
 	    skb_store_bits(skb, offset, src, priv->len) < 0)
 		goto err;

-- 
2.43.0

Re: [PATCH v2 net] netfilter: nft_payload: validate offset for all csum_type paths

[Florian Westphal]

Siho Lee <25esihoya@gmail.com> wrote:
> For NFT_PAYLOAD_LL_HEADER, offset is computed as:
>     offset = skb_mac_header(skb) - skb->data - vlan_hlen
> which evaluates to -14 (or -18 with VLAN) after eth_type_trans()
> pulls the Ethernet header. This is a valid negative offset that
> refers to the Ethernet header area (used by bridge/vlan rules).
> 
> However, without any bounds check in the csum=NONE path:
> - skb_ensure_writable(skb, max(offset + priv->len, 0)):
>   max() converts negative values to 0, making it a no-op.

Are you sure?

> - skb_store_bits(skb, offset, src, priv->len):
>   A negative offset that exceeds skb headroom writes out of bounds.

Sure, but how can that happen?  This should be explained here,
because I am NOT seeing a bug in the first place.

> Add proper validation after the csum condition block:
> - Negative offsets: ensure they fall within skb_headroom(skb)
>   (bridge/vlan rules legitimately access the Ethernet header)
> - Positive offsets: ensure offset + len does not exceed skb->len

Large offset/len should make skb_copy_bits return an error.

> Also remove the max() wrapper from skb_ensure_writable() since
> the new validation guarantees the offset is within range.

No, this patch still breaks test cases we have.  Please figure out
if there is a bug in this code, and if there is, explain it in a way
that I can understand (e.g. provide broken example that triggers OOB).

Then, git clone https://git.netfilter.org/nftables and make sure the
tests pass.

> +	if (skb_ensure_writable(skb, offset + priv->len) ||

ensure_writable has unsigned arg, so this -14 + 6 will asks for
4GB and this aborts here.

[PATCH net] netfilter: nft_payload: move offset bounds check outside csum condition

[Siho Lee]

From 574604a1b4a98ee130d7f727ad3c8a7df3f3b6f1 Mon Sep 17 00:00:00 2001
From: Siho Lee <25esihoya@gmail.com>
Date: Thu, 28 May 2026 22:39:03 +0900
Subject: [PATCH v1] netfilter: nft_payload: move offset bounds check outside
 csum condition

The bounds check for offset + priv->len was placed inside the csum
condition block. When csum_type is NFT_PAYLOAD_CSUM_NONE and
csum_flags is 0, the entire block including the bounds check is
skipped.

For NFT_PAYLOAD_LL_HEADER, offset is computed as:
    offset = skb_mac_header(skb) - skb->data - vlan_hlen
which evaluates to -14 (or -18 with VLAN) after eth_type_trans()
pulls the Ethernet header.

Without the bounds check, a negative offset reaches:
    skb_ensure_writable(skb, max(offset + priv->len, 0))
    skb_store_bits(skb, offset, src, priv->len)

max(-14 + 4, 0) == 0 makes skb_ensure_writable a no-op, and
skb_store_bits(skb, -14, ...) writes to skb headroom (OOB write).

The signed-unsigned comparison in the bounds check correctly catches
negative offsets: (unsigned int)(-10) is a large positive value that
exceeds any valid skb->len.

Move the bounds check outside the csum condition so it applies
regardless of csum_type/csum_flags.

Fixes: d5953d680f7e ("netfilter: nft_payload: sanitize offset and
length before calling skb_checksum()")
Cc: stable@vger.kernel.org
Signed-off-by: Siho Lee <25esihoya@gmail.com>
---
 net/netfilter/nft_payload.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
index 01e13e5255a9..62661e4eeb13 100644
--- a/net/netfilter/nft_payload.c
+++ b/net/netfilter/nft_payload.c
@@ -873,13 +873,13 @@ static void nft_payload_set_eval(const struct
nft_expr *expr,
 	csum_offset = offset + priv->csum_offset;
 	offset += priv->offset;

+	if (offset + priv->len > skb->len)
+		goto err;
+
 	if ((priv->csum_type == NFT_PAYLOAD_CSUM_INET || priv->csum_flags) &&
 	    ((priv->base != NFT_PAYLOAD_TRANSPORT_HEADER &&
 	      priv->base != NFT_PAYLOAD_INNER_HEADER) ||
 	     skb->ip_summed != CHECKSUM_PARTIAL)) {
-		if (offset + priv->len > skb->len)
-			goto err;
-
 		fsum = skb_checksum(skb, offset, priv->len, 0);
 		tsum = csum_partial(src, priv->len, 0);

-- 
2.43.0

Re: [PATCH net] netfilter: nft_payload: move offset bounds check outside csum condition

[Florian Westphal]

Siho Lee <25esihoya@gmail.com> wrote:
> From 574604a1b4a98ee130d7f727ad3c8a7df3f3b6f1 Mon Sep 17 00:00:00 2001
> From: Siho Lee <25esihoya@gmail.com>
> Date: Thu, 28 May 2026 22:39:03 +0900
> Subject: [PATCH v1] netfilter: nft_payload: move offset bounds check outside
>  csum condition
> 
> The bounds check for offset + priv->len was placed inside the csum
> condition block. When csum_type is NFT_PAYLOAD_CSUM_NONE and
> csum_flags is 0, the entire block including the bounds check is
> skipped.
> 
> For NFT_PAYLOAD_LL_HEADER, offset is computed as:
>     offset = skb_mac_header(skb) - skb->data - vlan_hlen
> which evaluates to -14 (or -18 with VLAN) after eth_type_trans()
> pulls the Ethernet header.
> 
> Without the bounds check, a negative offset reaches:
>     skb_ensure_writable(skb, max(offset + priv->len, 0))
>     skb_store_bits(skb, offset, src, priv->len)
> 
> max(-14 + 4, 0) == 0 makes skb_ensure_writable a no-op, and
> skb_store_bits(skb, -14, ...) writes to skb headroom (OOB write).
> 
> The signed-unsigned comparison in the bounds check correctly catches
> negative offsets: (unsigned int)(-10) is a large positive value that
> exceeds any valid skb->len.
> 
> Move the bounds check outside the csum condition so it applies
> regardless of csum_type/csum_flags.

This breaks link layer update support.

# cd git/nftables/tests/shell
# NFT=nft ./run-tests.sh testcases/packetpath/bridge_pass_up C
W: [FAILED]     1/1 testcases/packetpath/bridge_pass_up

[PATCH v2 net] netfilter: nft_payload: validate offset for all csum_type paths

[Siho Lee]

From e11e35dfd10960ea8ca4258dfa6ed7aeb207179f Mon Sep 17 00:00:00 2001
From: Siho Lee <25esihoya@gmail.com>
Date: Fri, 29 May 2026 00:23:35 +0900
Subject: [PATCH v2] netfilter: nft_payload: validate offset for all csum_type
 paths

When csum_type is NFT_PAYLOAD_CSUM_NONE and csum_flags is 0, the
bounds check inside the csum condition block is skipped entirely.

For NFT_PAYLOAD_LL_HEADER, offset is computed as:
    offset = skb_mac_header(skb) - skb->data - vlan_hlen
which evaluates to -14 (or -18 with VLAN) after eth_type_trans()
pulls the Ethernet header. This is a valid negative offset that
refers to the Ethernet header area (used by bridge/vlan rules).

However, without any bounds check in the csum=NONE path:
- skb_ensure_writable(skb, max(offset + priv->len, 0)):
  max() converts negative values to 0, making it a no-op.
- skb_store_bits(skb, offset, src, priv->len):
  A negative offset that exceeds skb headroom writes out of bounds.

Add proper validation after the csum condition block:
- Negative offsets: ensure they fall within skb_headroom(skb)
  (bridge/vlan rules legitimately access the Ethernet header)
- Positive offsets: ensure offset + len does not exceed skb->len

Also remove the max() wrapper from skb_ensure_writable() since
the new validation guarantees the offset is within range.

Fixes: d5953d680f7e ("netfilter: nft_payload: sanitize offset and
length before calling skb_checksum()")
Cc: stable@vger.kernel.org
Signed-off-by: Siho Lee <25esihoya@gmail.com>
---
 net/netfilter/nft_payload.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
index 01e13e5255a9..2c891c13bbf5 100644
--- a/net/netfilter/nft_payload.c
+++ b/net/netfilter/nft_payload.c
@@ -892,7 +892,17 @@ static void nft_payload_set_eval(const struct
nft_expr *expr,
 			goto err;
 	}

-	if (skb_ensure_writable(skb, max(offset + priv->len, 0)) ||
+	/* Negative offset (LL_HEADER with bridge/vlan) must be within headroom.
+	 * Positive offset must be within skb length.
+	 */
+	if (offset < 0) {
+		if (-offset > (int)skb_headroom(skb))
+			goto err;
+	} else if (offset + priv->len > skb->len) {
+		goto err;
+	}
+
+	if (skb_ensure_writable(skb, offset + priv->len) ||
 	    skb_store_bits(skb, offset, src, priv->len) < 0)
 		goto err;

-- 
2.43.0