[PATCH nf] netfilter: flowtable: Validate iph->ihl in nf_flow_ip4_tunnel

Netdev List
 help / color / mirror / Atom feed

* [PATCH nf] netfilter: flowtable: Validate iph->ihl in nf_flow_ip4_tunnel_proto()
@ 2026-06-05 16:47 Lorenzo Bianconi
  2026-06-07  9:55 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 2+ messages in thread
From: Lorenzo Bianconi @ 2026-06-05 16:47 UTC (permalink / raw)
  To: Pablo Neira Ayuso, Florian Westphal, Phil Sutter, David S. Miller,
	Eric Dumazet, Jakub Kicinski, Paolo Abeni, Simon Horman
  Cc: netfilter-devel, coreteam, netdev, Lorenzo Bianconi

Add sanity check for iph->ihl field in nf_flow_ip4_tunnel_proto routine.
Moreover, similar to nf_flow_ip6_tunnel_proto(), rely on
skb_header_pointer() to validate skb header layout.

Fixes: ab427db178858 ("netfilter: flowtable: Add IPIP rx sw acceleration")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
---
 net/netfilter/nf_flow_table_ip.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
index 9c05a50d6013..9684c19da37a 100644
--- a/net/netfilter/nf_flow_table_ip.c
+++ b/net/netfilter/nf_flow_table_ip.c
@@ -319,15 +319,17 @@ static unsigned int nf_flow_xmit_xfrm(struct sk_buff *skb,
 static bool nf_flow_ip4_tunnel_proto(struct nf_flowtable_ctx *ctx,
 				     struct sk_buff *skb)
 {
-	struct iphdr *iph;
+	struct iphdr *iph, _iph;
 	u16 size;
 
-	if (!pskb_may_pull(skb, sizeof(*iph) + ctx->offset))
+	iph = skb_header_pointer(skb, ctx->offset, sizeof(*iph), &_iph);
+	if (!iph)
 		return false;
 
-	iph = (struct iphdr *)(skb_network_header(skb) + ctx->offset);
-	size = iph->ihl << 2;
+	if (iph->ihl < 5)
+		return false;
 
+	size = iph->ihl << 2;
 	if (ip_is_fragment(iph) || unlikely(ip_has_options(size)))
 		return false;
 
@@ -335,9 +337,9 @@ static bool nf_flow_ip4_tunnel_proto(struct nf_flowtable_ctx *ctx,
 		return false;
 
 	if (iph->protocol == IPPROTO_IPIP) {
-		ctx->tun.proto = IPPROTO_IPIP;
+		ctx->tun.proto = iph->protocol;
 		ctx->tun.hdr_size = size;
-		ctx->offset += size;
+		ctx->offset += ctx->tun.hdr_size;
 	}
 
 	return true;

---
base-commit: 4aacf509e537a711fa71bca9f234e5eb6968850e
change-id: 20260605-nf_flow_ip4_tunnel_proto-update-b31f7bff6fb9

Best regards,
-- 
Lorenzo Bianconi <lorenzo@kernel.org>


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH nf] netfilter: flowtable: Validate iph->ihl in nf_flow_ip4_tunnel_proto()
  2026-06-05 16:47 [PATCH nf] netfilter: flowtable: Validate iph->ihl in nf_flow_ip4_tunnel_proto() Lorenzo Bianconi
@ 2026-06-07  9:55 ` Pablo Neira Ayuso
  0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2026-06-07  9:55 UTC (permalink / raw)
  To: Lorenzo Bianconi
  Cc: Florian Westphal, Phil Sutter, David S. Miller, Eric Dumazet,
	Jakub Kicinski, Paolo Abeni, Simon Horman, netfilter-devel,
	coreteam, netdev

Hi Lorenzo,

Thanks for your patch, comments below.

On Fri, Jun 05, 2026 at 06:47:48PM +0200, Lorenzo Bianconi wrote:
> Add sanity check for iph->ihl field in nf_flow_ip4_tunnel_proto routine.
> Moreover, similar to nf_flow_ip6_tunnel_proto(), rely on
> skb_header_pointer() to validate skb header layout.
> 
> Fixes: ab427db178858 ("netfilter: flowtable: Add IPIP rx sw acceleration")
> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
> ---
>  net/netfilter/nf_flow_table_ip.c | 14 ++++++++------
>  1 file changed, 8 insertions(+), 6 deletions(-)
> 
> diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
> index 9c05a50d6013..9684c19da37a 100644
> --- a/net/netfilter/nf_flow_table_ip.c
> +++ b/net/netfilter/nf_flow_table_ip.c
> @@ -319,15 +319,17 @@ static unsigned int nf_flow_xmit_xfrm(struct sk_buff *skb,
>  static bool nf_flow_ip4_tunnel_proto(struct nf_flowtable_ctx *ctx,
>  				     struct sk_buff *skb)
>  {
> -	struct iphdr *iph;
> +	struct iphdr *iph, _iph;
>  	u16 size;
>  
> -	if (!pskb_may_pull(skb, sizeof(*iph) + ctx->offset))
> +	iph = skb_header_pointer(skb, ctx->offset, sizeof(*iph), &_iph);

I think we have to update nf_flow_ip6_tunnel_proto() to call
pskb_may_pull() instead, given that this calls skb_pull() later on to
pull the tunnel header and this ensures that the IP header this will
pull will be in a linear area.

> +	if (!iph)
>  		return false;
>  
> -	iph = (struct iphdr *)(skb_network_header(skb) + ctx->offset);
> -	size = iph->ihl << 2;
> +	if (iph->ihl < 5)
> +		return false;
>  
> +	size = iph->ihl << 2;
>  	if (ip_is_fragment(iph) || unlikely(ip_has_options(size)))
>  		return false;
>  
> @@ -335,9 +337,9 @@ static bool nf_flow_ip4_tunnel_proto(struct nf_flowtable_ctx *ctx,
>  		return false;
>  
>  	if (iph->protocol == IPPROTO_IPIP) {
> -		ctx->tun.proto = IPPROTO_IPIP;
> +		ctx->tun.proto = iph->protocol;
>  		ctx->tun.hdr_size = size;
> -		ctx->offset += size;
> +		ctx->offset += ctx->tun.hdr_size;
>  	}
>  
>  	return true;
> 
> ---
> base-commit: 4aacf509e537a711fa71bca9f234e5eb6968850e
> change-id: 20260605-nf_flow_ip4_tunnel_proto-update-b31f7bff6fb9
> 
> Best regards,
> -- 
> Lorenzo Bianconi <lorenzo@kernel.org>
> 

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-06-07  9:55 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-05 16:47 [PATCH nf] netfilter: flowtable: Validate iph->ihl in nf_flow_ip4_tunnel_proto() Lorenzo Bianconi
2026-06-07  9:55 ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox