Commit 46abd173 authored Jan 28, 2023 by Xin Long Committed by Jakub Kicinski Feb 01, 2023

bridge: use skb_ip_totlen in br netfilter



These 3 places in bridge netfilter are called on RX path after GRO
and IPv4 TCP GSO packets may come through, so replace iph tot_len
accessing with skb_ip_totlen() in there.

Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent 058a8f7f

net/bridge/br_netfilter_hooks.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -214,7 +214,7 @@ static int br_validate_ipv4(struct net net, struct sk_buff skb)
		if (unlikely(ip_fast_csum((u8 *)iph, iph->ihl)))
		goto csum_error;

		len = ntohs(iph->tot_len);
		len = skb_ip_totlen(skb);
		if (skb->len < len) {
		__IP_INC_STATS(net, IPSTATS_MIB_INTRUNCATEDPKTS);
		goto drop;

net/bridge/netfilter/nf_conntrack_bridge.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -212,7 +212,7 @@ static int nf_ct_br_ip_check(const struct sk_buff *skb)
		iph->version != 4)
		return -1;

		len = ntohs(iph->tot_len);
		len = skb_ip_totlen(skb);
		if (skb->len < nhoff + len \|\|
		len < (iph->ihl * 4))
		return -1;
		@@ -256,7 +256,7 @@ static unsigned int nf_ct_bridge_pre(void priv, struct sk_buff skb,
		if (!pskb_may_pull(skb, sizeof(struct iphdr)))
		return NF_ACCEPT;

		len = ntohs(ip_hdr(skb)->tot_len);
		len = skb_ip_totlen(skb);
		if (pskb_trim_rcsum(skb, len))
		return NF_ACCEPT;