From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1DC92E95A8E for ; Mon, 9 Oct 2023 13:39:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1377292AbjJINjg (ORCPT ); Mon, 9 Oct 2023 09:39:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57156 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1377428AbjJINjA (ORCPT ); Mon, 9 Oct 2023 09:39:00 -0400 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 85F09113 for ; Mon, 9 Oct 2023 06:38:52 -0700 (PDT) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 703B7C433C8; Mon, 9 Oct 2023 13:38:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1696858731; bh=HxTsNHCHHHARq9fK/1pdGPBy9RWidQVoQNIk+4vWhAk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=y411bwUKKSkFuGXhjk/0tjtaMPoWcDygqsdi4psvVvk61SVPVKLBDZqyCCVLWHfq7 PiulfDoFXXV22KXh+88c9AJHmdpZT8EXkLjhSRTKd9ONEEOJe2p4hoeD1BCHzBd7ri Sipr3cLc+oqjRr8WdVaf9Oq/0a8moNOIY04SEF88= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Xiao Liang , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 5.10 082/226] netfilter: nft_exthdr: Fix non-linear header modification Date: Mon, 9 Oct 2023 15:00:43 +0200 Message-ID: <20231009130128.931939317@linuxfoundation.org> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231009130126.697995596@linuxfoundation.org> References: <20231009130126.697995596@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org 5.10-stable review patch. If anyone has any objections, please let me know. ------------------ From: Xiao Liang [ Upstream commit 28427f368f0e08d504ed06e74bc7cc79d6d06511 ] Fix skb_ensure_writable() size. Don't use nft_tcp_header_pointer() to make it explicit that pointers point to the packet (not local buffer). Fixes: 99d1712bc41c ("netfilter: exthdr: tcp option set support") Fixes: 7890cbea66e7 ("netfilter: exthdr: add support for tcp option removal") Cc: stable@vger.kernel.org Signed-off-by: Xiao Liang Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/netfilter/nft_exthdr.c | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c index 7a00867aa64ba..b4682aeabab96 100644 --- a/net/netfilter/nft_exthdr.c +++ b/net/netfilter/nft_exthdr.c @@ -238,7 +238,12 @@ static void nft_exthdr_tcp_set_eval(const struct nft_expr *expr, if (!tcph) goto err; + if (skb_ensure_writable(pkt->skb, nft_thoff(pkt) + tcphdr_len)) + goto err; + + tcph = (struct tcphdr *)(pkt->skb->data + nft_thoff(pkt)); opt = (u8 *)tcph; + for (i = sizeof(*tcph); i < tcphdr_len - 1; i += optl) { union { __be16 v16; @@ -253,15 +258,6 @@ static void nft_exthdr_tcp_set_eval(const struct nft_expr *expr, if (i + optl > tcphdr_len || priv->len + priv->offset > optl) goto err; - if (skb_ensure_writable(pkt->skb, - nft_thoff(pkt) + i + priv->len)) - goto err; - - tcph = nft_tcp_header_pointer(pkt, sizeof(buff), buff, - &tcphdr_len); - if (!tcph) - goto err; - offset = i + priv->offset; switch (priv->len) { @@ -325,9 +321,9 @@ static void nft_exthdr_tcp_strip_eval(const struct nft_expr *expr, if (skb_ensure_writable(pkt->skb, nft_thoff(pkt) + tcphdr_len)) goto drop; - opt = (u8 *)nft_tcp_header_pointer(pkt, sizeof(buff), buff, &tcphdr_len); - if (!opt) - goto err; + tcph = (struct tcphdr *)(pkt->skb->data + nft_thoff(pkt)); + opt = (u8 *)tcph; + for (i = sizeof(*tcph); i < tcphdr_len - 1; i += optl) { unsigned int j; -- 2.40.1