* [PATCH nf] netfilter: arp_tables: fix IEEE1394 ARP payload mangling
@ 2026-04-17 13:19 Florian Westphal
2026-04-18 7:28 ` Pablo Neira Ayuso
0 siblings, 1 reply; 3+ messages in thread
From: Florian Westphal @ 2026-04-17 13:19 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
sashiko.dev noticed that similar bug pattern exists in arpt_mangle:
"IEEE1394 ARP payloads omit the target hardware address, advancing
arpptr by hln after the source IP address skips over the actual target
IP address."
Apply similar fix: check dev->type. If we're asked to mangle what
doesn't exist, drop the packet.
Fixes: 6752c8db8e0c ("firewire net, ipv4 arp: Extend hardware address and remove driver-level packet inspection.")
Signed-off-by: Florian Westphal <fw@strlen.de>
---
Collides with a inflight patch.
I'll rebase or discard depending on what netdev@ does.
net/ipv4/netfilter/arpt_mangle.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c
index a4e07e5e9c11..5a3560e1b59b 100644
--- a/net/ipv4/netfilter/arpt_mangle.c
+++ b/net/ipv4/netfilter/arpt_mangle.c
@@ -13,6 +13,7 @@ static unsigned int
target(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct arpt_mangle *mangle = par->targinfo;
+ bool has_tgt_devaddr = true;
const struct arphdr *arp;
unsigned char *arpptr;
int pln, hln;
@@ -39,13 +40,33 @@ target(struct sk_buff *skb, const struct xt_action_param *par)
memcpy(arpptr, &mangle->u_s.src_ip, pln);
}
arpptr += pln;
+
+ if (IS_ENABLED(CONFIG_FIREWIRE_NET)) {
+ const struct net_device *dev = skb->dev;
+
+ if (!dev) {
+ /* can't munge without arphrd type. */
+ if (mangle->flags & (ARPT_MANGLE_TDEV|ARPT_MANGLE_TIP))
+ return NF_DROP;
+ return mangle->target;
+ }
+
+ if (dev->type == ARPHRD_IEEE1394)
+ has_tgt_devaddr = false;
+ }
+
if (mangle->flags & ARPT_MANGLE_TDEV) {
+ if (!has_tgt_devaddr)
+ return NF_DROP;
+
if (ARPT_DEV_ADDR_LEN_MAX < hln ||
(arpptr + hln > skb_tail_pointer(skb)))
return NF_DROP;
memcpy(arpptr, mangle->tgt_devaddr, hln);
}
- arpptr += hln;
+ if (has_tgt_devaddr)
+ arpptr += hln;
+
if (mangle->flags & ARPT_MANGLE_TIP) {
if (ARPT_MANGLE_ADDR_LEN_MAX < pln ||
(arpptr + pln > skb_tail_pointer(skb)))
--
2.52.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH nf] netfilter: arp_tables: fix IEEE1394 ARP payload mangling
2026-04-17 13:19 [PATCH nf] netfilter: arp_tables: fix IEEE1394 ARP payload mangling Florian Westphal
@ 2026-04-18 7:28 ` Pablo Neira Ayuso
2026-04-18 8:10 ` Florian Westphal
0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira Ayuso @ 2026-04-18 7:28 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
Hi Florian,
On Fri, Apr 17, 2026 at 03:19:05PM +0200, Florian Westphal wrote:
> sashiko.dev noticed that similar bug pattern exists in arpt_mangle:
> "IEEE1394 ARP payloads omit the target hardware address, advancing
> arpptr by hln after the source IP address skips over the actual target
> IP address."
>
> Apply similar fix: check dev->type. If we're asked to mangle what
> doesn't exist, drop the packet.
I included a fix for this in:
https://patchwork.kernel.org/project/netdevbpf/patch/20260417091422.342615-1-pablo@netfilter.org/
I forgot to mangle the patch title though to:
netfilter: arp_tables: fix IEEE1394 ARP payload parsing
> Fixes: 6752c8db8e0c ("firewire net, ipv4 arp: Extend hardware address and remove driver-level packet inspection.")
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
> Collides with a inflight patch.
Are you referring to the patch I made?
> I'll rebase or discard depending on what netdev@ does.
>
> net/ipv4/netfilter/arpt_mangle.c | 23 ++++++++++++++++++++++-
> 1 file changed, 22 insertions(+), 1 deletion(-)
>
> diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c
> index a4e07e5e9c11..5a3560e1b59b 100644
> --- a/net/ipv4/netfilter/arpt_mangle.c
> +++ b/net/ipv4/netfilter/arpt_mangle.c
> @@ -13,6 +13,7 @@ static unsigned int
> target(struct sk_buff *skb, const struct xt_action_param *par)
> {
> const struct arpt_mangle *mangle = par->targinfo;
> + bool has_tgt_devaddr = true;
> const struct arphdr *arp;
> unsigned char *arpptr;
> int pln, hln;
> @@ -39,13 +40,33 @@ target(struct sk_buff *skb, const struct xt_action_param *par)
> memcpy(arpptr, &mangle->u_s.src_ip, pln);
> }
> arpptr += pln;
> +
> + if (IS_ENABLED(CONFIG_FIREWIRE_NET)) {
> + const struct net_device *dev = skb->dev;
> +
> + if (!dev) {
> + /* can't munge without arphrd type. */
> + if (mangle->flags & (ARPT_MANGLE_TDEV|ARPT_MANGLE_TIP))
> + return NF_DROP;
> + return mangle->target;
> + }
> +
> + if (dev->type == ARPHRD_IEEE1394)
> + has_tgt_devaddr = false;
> + }
> +
> if (mangle->flags & ARPT_MANGLE_TDEV) {
> + if (!has_tgt_devaddr)
> + return NF_DROP;
> +
> if (ARPT_DEV_ADDR_LEN_MAX < hln ||
> (arpptr + hln > skb_tail_pointer(skb)))
> return NF_DROP;
> memcpy(arpptr, mangle->tgt_devaddr, hln);
> }
> - arpptr += hln;
> + if (has_tgt_devaddr)
> + arpptr += hln;
> +
> if (mangle->flags & ARPT_MANGLE_TIP) {
> if (ARPT_MANGLE_ADDR_LEN_MAX < pln ||
> (arpptr + pln > skb_tail_pointer(skb)))
> --
> 2.52.0
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-04-18 8:10 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-17 13:19 [PATCH nf] netfilter: arp_tables: fix IEEE1394 ARP payload mangling Florian Westphal
2026-04-18 7:28 ` Pablo Neira Ayuso
2026-04-18 8:10 ` Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox