* [PATCH] netfilter: ctnetlink: validate CTA_EXPECT_NAT_DIR value
@ 2026-03-12 14:42 Jenny Guanni Qu
2026-03-12 14:54 ` Florian Westphal
0 siblings, 1 reply; 2+ messages in thread
From: Jenny Guanni Qu @ 2026-03-12 14:42 UTC (permalink / raw)
To: pablo, kadlec; +Cc: netfilter-devel, klaudia, dawid, Jenny Guanni Qu
ctnetlink_parse_expect_nat() reads the CTA_EXPECT_NAT_DIR attribute
from userspace via netlink and assigns it to exp->dir without checking
whether it is a valid direction value. Since exp->dir is used as an
array index into the 2-element tuplehash[] array, an out-of-range
value causes an out-of-bounds access.
Add a bounds check to ensure the direction is less than IP_CT_DIR_MAX.
Fixes: 076a0ca02644 ("netfilter: ctnetlink: add NAT support for expectations")
Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
Tested-by: Jenny Guanni Qu <qguanni@gmail.com>
Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
---
net/netfilter/nf_conntrack_netlink.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 6a1239433830..ddf3a417f408 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -3496,6 +3496,8 @@ ctnetlink_parse_expect_nat(const struct nlattr *attr,
exp->saved_addr = nat_tuple.src.u3;
exp->saved_proto = nat_tuple.src.u;
exp->dir = ntohl(nla_get_be32(tb[CTA_EXPECT_NAT_DIR]));
+ if (exp->dir >= IP_CT_DIR_MAX)
+ return -EINVAL;
return 0;
#else
--
2.34.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] netfilter: ctnetlink: validate CTA_EXPECT_NAT_DIR value
2026-03-12 14:42 [PATCH] netfilter: ctnetlink: validate CTA_EXPECT_NAT_DIR value Jenny Guanni Qu
@ 2026-03-12 14:54 ` Florian Westphal
0 siblings, 0 replies; 2+ messages in thread
From: Florian Westphal @ 2026-03-12 14:54 UTC (permalink / raw)
To: Jenny Guanni Qu; +Cc: pablo, kadlec, netfilter-devel, klaudia, dawid
Jenny Guanni Qu <qguanni@gmail.com> wrote:
> ctnetlink_parse_expect_nat() reads the CTA_EXPECT_NAT_DIR attribute
> from userspace via netlink and assigns it to exp->dir without checking
> whether it is a valid direction value. Since exp->dir is used as an
> array index into the 2-element tuplehash[] array, an out-of-range
> value causes an out-of-bounds access.
>
> Add a bounds check to ensure the direction is less than IP_CT_DIR_MAX.
Please see:
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20260310132857.1383-1-fw@strlen.de/
We are seeing a massive influx of bug reports, and sometimes same
issue is reported multiple times.
Due to the large backlog, we are unable to provide timely
pull requests to the net tree anymore.
I hope I can make another pull request with pending patches
this Friday.
We are aware that the conntrack expectation bugs remain
unresolved.
This is because some of the proposed fixes are not sufficient
and a further audit is going on.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-03-12 14:54 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-12 14:42 [PATCH] netfilter: ctnetlink: validate CTA_EXPECT_NAT_DIR value Jenny Guanni Qu
2026-03-12 14:54 ` Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox