Commit 4cb3f5b8 authored Dec 12, 2024 by Pablo Neira Ayuso Committed by Dong Chenchen Dec 12, 2024

netfilter: nft_payload: sanitize offset and length before calling skb_checksum()

stable inclusion
from stable-v4.19.323
commit a661ed364ae6ae88c2fafa9ddc27df1af2a73701
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB37AM
CVE: CVE-2024-50251

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a661ed364ae6ae88c2fafa9ddc27df1af2a73701



--------------------------------

[ Upstream commit d5953d680f7e96208c29ce4139a0e38de87a57fe ]

If access to offset + length is larger than the skbuff length, then
skb_checksum() triggers BUG_ON().

skb_checksum() internally subtracts the length parameter while iterating
over skbuff, BUG_ON(len) at the end of it checks that the expected
length to be included in the checksum calculation is fully consumed.

Fixes: 7ec3f7b4 ("netfilter: nft_payload: add packet mangling support")
Reported-by: Slavin Liu <slavin-ayu@qq.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>

parent faa52e40

net/netfilter/nft_payload.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -306,6 +306,9 @@ static void nft_payload_set_eval(const struct nft_expr *expr,
		if ((priv->csum_type == NFT_PAYLOAD_CSUM_INET \|\| priv->csum_flags) &&
		(priv->base != NFT_PAYLOAD_TRANSPORT_HEADER \|\|
		skb->ip_summed != CHECKSUM_PARTIAL)) {
		if (offset + priv->len > skb->len)
		goto err;

		fsum = skb_checksum(skb, offset, priv->len, 0);
		tsum = csum_partial(src, priv->len, 0);