Commit cdd73cc5 authored Jun 10, 2021 by Pablo Neira Ayuso

netfilter: nft_exthdr: check for IPv6 packet before further processing



ipv6_find_hdr() does not validate that this is an IPv6 packet. Add a
sanity check for calling ipv6_find_hdr() to make sure an IPv6 packet
is passed for parsing.

Fixes: 96518518 ("netfilter: add nftables")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent 8744365e

net/netfilter/nft_exthdr.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -42,6 +42,9 @@ static void nft_exthdr_ipv6_eval(const struct nft_expr *expr,
		unsigned int offset = 0;
		int err;

		if (pkt->skb->protocol != htons(ETH_P_IPV6))
		goto err;

		err = ipv6_find_hdr(pkt->skb, &offset, priv->type, NULL, NULL);
		if (priv->flags & NFT_EXTHDR_F_PRESENT) {
		nft_reg_store8(dest, err >= 0);