Re: [PATCH 1/1] netfilter: ip6t_eui64: validate MAC header before using it

[Florian Westphal <fw@strlen.de>]

Florian Westphal <fw@strlen.de> wrote:
> Ren Wei <n05ec@lzu.edu.cn> wrote:
> > From: Zhengchuan Liang <zcliangcn@gmail.com>
> > 
> > `eui64_mt6()` derives a modified EUI-64 from the Ethernet source
> > address and compares it with the low 64 bits of the IPv6 source
> > address.
> > 
> > The match unconditionally reaches `skb_mac_header()` and `eth_hdr(skb)`
> > after a guard that only rejects an invalid MAC header when
> > `par->fragoff != 0`. As a result, non-fragment packets can still reach
> > `eth_hdr(skb)` even when the skb has no MAC header set, or when the MAC
> > header does not cover a full Ethernet header.
> > 
> > Fix this by first checking that the MAC header is set and spans a full
> > Ethernet header before accessing it, then using that validated header
> > directly for the EUI-64 comparison. Preserve the existing hotdrop
> > behavior for non-first fragments with an invalid MAC header.
> 
> I find this rather confusing.  E.g. why is net/netfilter/xt_mac.c safe?
> I get the feeling that this patch is not sufficient?
> 
> > +	if (!skb_mac_header_was_set(skb)) {
> 
> Makes sense to me.
> 
> > +	mac = skb_mac_header(skb);
> > +	if (mac < skb->head || mac + ETH_HLEN > skb->data) {
> > +		if (par->fragoff != 0)
> > +			par->hotdrop = true;
> > +		return false;
> 
> Why do we still need this stunt?  Why not:
> 
> mac_len = skb_mac_header_len(skb);
> if (mac_len < ETH_HLEN) {
> 	par->hotdrop = true;
> 	return false;
> }
> 
> ?
> 
> I also feel there should be a check for ethernet, i.e.
>         if (skb->dev == NULL || skb->dev->type != ARPHRD_ETHER)
> 
> ... like in xt_mac.c.

There are other suspicious spots, e.g. in nf_log_syslog.c and in ipset.

Will you make a patch to cover all of these?