netfilter: nft_payload: don't allow th access for fragments (a9e8503d) · Commits · EulixOS / Software / Kernel

net/netfilter/nft_exthdr.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -167,7 +167,7 @@ nft_tcp_header_pointer(const struct nft_pktinfo *pkt,
		{
		struct tcphdr *tcph;

		if (pkt->tprot != IPPROTO_TCP)
		if (pkt->tprot != IPPROTO_TCP \|\| pkt->fragoff)
		return NULL;

		tcph = skb_header_pointer(pkt->skb, nft_thoff(pkt), sizeof(*tcph), buffer);

+5 −4

Original line number	Diff line number	Diff line
		@@ -83,7 +83,7 @@ static int __nft_payload_inner_offset(struct nft_pktinfo *pkt)
		{
		unsigned int thoff = nft_thoff(pkt);

		if (!(pkt->flags & NFT_PKTINFO_L4PROTO))
		if (!(pkt->flags & NFT_PKTINFO_L4PROTO) \|\| pkt->fragoff)
		return -1;

		switch (pkt->tprot) {
		@@ -147,7 +147,7 @@ void nft_payload_eval(const struct nft_expr *expr,
		offset = skb_network_offset(skb);
		break;
		case NFT_PAYLOAD_TRANSPORT_HEADER:
		if (!(pkt->flags & NFT_PKTINFO_L4PROTO))
		if (!(pkt->flags & NFT_PKTINFO_L4PROTO) \|\| pkt->fragoff)
		goto err;
		offset = nft_thoff(pkt);
		break;
		@@ -688,7 +688,7 @@ static void nft_payload_set_eval(const struct nft_expr *expr,
		offset = skb_network_offset(skb);
		break;
		case NFT_PAYLOAD_TRANSPORT_HEADER:
		if (!(pkt->flags & NFT_PKTINFO_L4PROTO))
		if (!(pkt->flags & NFT_PKTINFO_L4PROTO) \|\| pkt->fragoff)
		goto err;
		offset = nft_thoff(pkt);
		break;
		@@ -728,7 +728,8 @@ static void nft_payload_set_eval(const struct nft_expr *expr,
		if (priv->csum_type == NFT_PAYLOAD_CSUM_SCTP &&
		pkt->tprot == IPPROTO_SCTP &&
		skb->ip_summed != CHECKSUM_PARTIAL) {
		if (nft_payload_csum_sctp(skb, nft_thoff(pkt)))
		if (pkt->fragoff == 0 &&
		nft_payload_csum_sctp(skb, nft_thoff(pkt)))
		goto err;
		}