From: Florian Westphal <fw@strlen.de>
To: Jenny Guanni Qu <qguanni@gmail.com>
Cc: pablo@netfilter.org, kadlec@netfilter.org,
netfilter-devel@vger.kernel.org, klaudia@vidocsecurity.com,
dawid@vidocsecurity.com
Subject: Re: [PATCH] netfilter: ctnetlink: validate CTA_EXPECT_NAT_DIR value
Date: Thu, 12 Mar 2026 15:54:01 +0100 [thread overview]
Message-ID: <abLTiYt1Q4aZUAoJ@strlen.de> (raw)
In-Reply-To: <20260312144252.2985553-1-qguanni@gmail.com>
Jenny Guanni Qu <qguanni@gmail.com> wrote:
> ctnetlink_parse_expect_nat() reads the CTA_EXPECT_NAT_DIR attribute
> from userspace via netlink and assigns it to exp->dir without checking
> whether it is a valid direction value. Since exp->dir is used as an
> array index into the 2-element tuplehash[] array, an out-of-range
> value causes an out-of-bounds access.
>
> Add a bounds check to ensure the direction is less than IP_CT_DIR_MAX.
Please see:
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20260310132857.1383-1-fw@strlen.de/
We are seeing a massive influx of bug reports, and sometimes same
issue is reported multiple times.
Due to the large backlog, we are unable to provide timely
pull requests to the net tree anymore.
I hope I can make another pull request with pending patches
this Friday.
We are aware that the conntrack expectation bugs remain
unresolved.
This is because some of the proposed fixes are not sufficient
and a further audit is going on.
prev parent reply other threads:[~2026-03-12 14:54 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-12 14:42 [PATCH] netfilter: ctnetlink: validate CTA_EXPECT_NAT_DIR value Jenny Guanni Qu
2026-03-12 14:54 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=abLTiYt1Q4aZUAoJ@strlen.de \
--to=fw@strlen.de \
--cc=dawid@vidocsecurity.com \
--cc=kadlec@netfilter.org \
--cc=klaudia@vidocsecurity.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=qguanni@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox