[PATCH] netfilter: nf_nat_sip: validate exp->dir in nf_nat_sip_expected()

[PATCH] netfilter: nf_nat_sip: validate exp->dir in nf_nat_sip_expected()

[Jenny Guanni Qu]

nf_nat_sip_expected() uses exp->dir to index into the 2-element
tuplehash[] array without bounds checking. If exp->dir has an
out-of-range value, this causes a slab-out-of-bounds read.

KASAN reports:

  BUG: KASAN: slab-out-of-bounds in nf_nat_sip_expected+0x804/0x938
  Read of size 8 at addr ffff0000d113e3b8
  The buggy address is located 72 bytes to the right of
   allocated 240-byte region

Add a bounds check to ensure exp->dir is less than IP_CT_DIR_MAX.

Fixes: 9a6648210687 ("netfilter: nf_nat: support IPv6 in SIP NAT helper")
Reported-by: Jenny Guanni Qu <qguanni@gmail.com>
Tested-by: Jenny Guanni Qu <qguanni@gmail.com>
Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
---
 net/netfilter/nf_nat_sip.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/netfilter/nf_nat_sip.c b/net/netfilter/nf_nat_sip.c
index cf4aeb299bde..48b1b2d70a1e 100644
--- a/net/netfilter/nf_nat_sip.c
+++ b/net/netfilter/nf_nat_sip.c
@@ -326,6 +326,9 @@ static void nf_nat_sip_expected(struct nf_conn *ct,
 	/* This must be a fresh one. */
 	BUG_ON(ct->status & IPS_NAT_DONE_MASK);
 
+	if (exp->dir >= IP_CT_DIR_MAX)
+		return;
+
 	/* For DST manip, map port here to where it's expected. */
 	range.flags = (NF_NAT_RANGE_MAP_IPS | NF_NAT_RANGE_PROTO_SPECIFIED);
 	range.min_proto = range.max_proto = exp->saved_proto;
-- 
2.34.1

Re: [PATCH] netfilter: nf_nat_sip: validate exp->dir in nf_nat_sip_expected()

[Florian Westphal]

Jenny Guanni Qu <qguanni@gmail.com> wrote:
> nf_nat_sip_expected() uses exp->dir to index into the 2-element
> tuplehash[] array without bounds checking. If exp->dir has an
> out-of-range value, this causes a slab-out-of-bounds read.
> 
> KASAN reports:
> 
>   BUG: KASAN: slab-out-of-bounds in nf_nat_sip_expected+0x804/0x938
>   Read of size 8 at addr ffff0000d113e3b8
>   The buggy address is located 72 bytes to the right of
>    allocated 240-byte region
> 
> Add a bounds check to ensure exp->dir is less than IP_CT_DIR_MAX.

Ok, but exp->dir isn't expected to contain crap.

How does exp->dir become >= IP_CT_DIR_MAX?
Are you sure this isn't papering over another bug?

In particular, there is missing validation in the ctnetlink code
for the dir argument.

https://lore.kernel.org/netdev/20260313150614.21177-3-fw@strlen.de/

Re: [PATCH] netfilter: nf_nat_sip: validate exp->dir in nf_nat_sip_expected()

[Pablo Neira Ayuso]

On Sat, Mar 14, 2026 at 12:32:37AM +0100, Florian Westphal wrote:
> Jenny Guanni Qu <qguanni@gmail.com> wrote:
> > nf_nat_sip_expected() uses exp->dir to index into the 2-element
> > tuplehash[] array without bounds checking. If exp->dir has an
> > out-of-range value, this causes a slab-out-of-bounds read.
> > 
> > KASAN reports:
> > 
> >   BUG: KASAN: slab-out-of-bounds in nf_nat_sip_expected+0x804/0x938
> >   Read of size 8 at addr ffff0000d113e3b8
> >   The buggy address is located 72 bytes to the right of
> >    allocated 240-byte region
> > 
> > Add a bounds check to ensure exp->dir is less than IP_CT_DIR_MAX.
> 
> Ok, but exp->dir isn't expected to contain crap.
> 
> How does exp->dir become >= IP_CT_DIR_MAX?
> Are you sure this isn't papering over another bug?
> 
> In particular, there is missing validation in the ctnetlink code
> for the dir argument.
> 
> https://lore.kernel.org/netdev/20260313150614.21177-3-fw@strlen.de/

Yes, this sounds like a duplicated bug.

Re: [PATCH] netfilter: nf_nat_sip: validate exp->dir in nf_nat_sip_expected()

[Guanni Qu]

Hi Florian, Pablo,

You're right, the root cause is the missing ctnetlink validation
that Florian's patch fixes. I hit this crash while testing SIP NAT
with crafted expectations via ctnetlink, which is how exp->dir
ended up out of range.

Happy to drop this in favor of Florian's ctnetlink fix.

Jenny

On Sat, Mar 14, 2026 at 4:50 AM Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>
> On Sat, Mar 14, 2026 at 12:32:37AM +0100, Florian Westphal wrote:
> > Jenny Guanni Qu <qguanni@gmail.com> wrote:
> > > nf_nat_sip_expected() uses exp->dir to index into the 2-element
> > > tuplehash[] array without bounds checking. If exp->dir has an
> > > out-of-range value, this causes a slab-out-of-bounds read.
> > >
> > > KASAN reports:
> > >
> > >   BUG: KASAN: slab-out-of-bounds in nf_nat_sip_expected+0x804/0x938
> > >   Read of size 8 at addr ffff0000d113e3b8
> > >   The buggy address is located 72 bytes to the right of
> > >    allocated 240-byte region
> > >
> > > Add a bounds check to ensure exp->dir is less than IP_CT_DIR_MAX.
> >
> > Ok, but exp->dir isn't expected to contain crap.
> >
> > How does exp->dir become >= IP_CT_DIR_MAX?
> > Are you sure this isn't papering over another bug?
> >
> > In particular, there is missing validation in the ctnetlink code
> > for the dir argument.
> >
> > https://lore.kernel.org/netdev/20260313150614.21177-3-fw@strlen.de/
>
> Yes, this sounds like a duplicated bug.

Re: [PATCH] netfilter: nf_nat_sip: validate exp->dir in nf_nat_sip_expected()

[Florian Westphal]

Guanni Qu <qguanni@gmail.com> wrote:
> Hi Florian, Pablo,
> 
> You're right, the root cause is the missing ctnetlink validation
> that Florian's patch fixes. I hit this crash while testing SIP NAT
> with crafted expectations via ctnetlink, which is how exp->dir
> ended up out of range.

Thanks for confirming, I'll drop it from pachwork.