!13435 netfilter: nf_tables: prevent nf_skb_duplicated corruption (e291bdcc) · Commits · EulixOS / Software / Kernel

net/ipv4/netfilter/nf_dup_ipv4.c

+5 −2

Original line number	Diff line number	Diff line
		@@ -52,8 +52,9 @@ void nf_dup_ipv4(struct net net, struct sk_buff skb, unsigned int hooknum,
		{
		struct iphdr *iph;

		local_bh_disable();
		if (this_cpu_read(nf_skb_duplicated))
		return;
		goto out;
		/*
		* Copy the skb, and route the copy. Will later return %XT_CONTINUE for
		* the original skb, which should continue on its way as if nothing has
		@@ -61,7 +62,7 @@ void nf_dup_ipv4(struct net net, struct sk_buff skb, unsigned int hooknum,
		*/
		skb = pskb_copy(skb, GFP_ATOMIC);
		if (skb == NULL)
		return;
		goto out;

		#if IS_ENABLED(CONFIG_NF_CONNTRACK)
		/* Avoid counting cloned packets towards the original connection. */
		@@ -90,6 +91,8 @@ void nf_dup_ipv4(struct net net, struct sk_buff skb, unsigned int hooknum,
		} else {
		kfree_skb(skb);
		}
		out:
		local_bh_enable();
		}
		EXPORT_SYMBOL_GPL(nf_dup_ipv4);

+5 −2

Original line number	Diff line number	Diff line
		@@ -47,11 +47,12 @@ static bool nf_dup_ipv6_route(struct net net, struct sk_buff skb,
		void nf_dup_ipv6(struct net net, struct sk_buff skb, unsigned int hooknum,
		const struct in6_addr *gw, int oif)
		{
		local_bh_disable();
		if (this_cpu_read(nf_skb_duplicated))
		return;
		goto out;
		skb = pskb_copy(skb, GFP_ATOMIC);
		if (skb == NULL)
		return;
		goto out;

		#if IS_ENABLED(CONFIG_NF_CONNTRACK)
		nf_reset_ct(skb);
		@@ -69,6 +70,8 @@ void nf_dup_ipv6(struct net net, struct sk_buff skb, unsigned int hooknum,
		} else {
		kfree_skb(skb);
		}
		out:
		local_bh_enable();
		}
		EXPORT_SYMBOL_GPL(nf_dup_ipv6);