iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

netfilter: nf_flow_table: check ttl value in flow offload data path

Browse Source 
nf_flow_offload_ip_hook() and nf_flow_offload_ipv6_hook() do not check
ttl value. So, ttl value overflow may occur.

Fixes: 97add9f0d66d ("netfilter: flow table support for IPv4")
Fixes: 0995210753a2 ("netfilter: flow table support for IPv6")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Taehee Yoo 2019-04-30 01:55:54 +09:00 committed by Pablo Neira Ayuso
parent 26a302afbe
commit 33cc3c0cfa
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
net/netfilter/nf_flow_table_ip.c
View File

@ -181,6 +181,9 @@ static int nf_flow_tuple_ip(struct sk_buff *skb, const struct net_device *dev,
iph->protocol != IPPROTO_UDP) iph->protocol != IPPROTO_UDP)
return -1; return -1;
if (iph->ttl <= 1)
return -1;
thoff = iph->ihl * 4; thoff = iph->ihl * 4;
if (!pskb_may_pull(skb, thoff + sizeof(*ports))) if (!pskb_may_pull(skb, thoff + sizeof(*ports)))
return -1; return -1;
@ -411,6 +414,9 @@ static int nf_flow_tuple_ipv6(struct sk_buff *skb, const struct net_device *dev,
ip6h->nexthdr != IPPROTO_UDP) ip6h->nexthdr != IPPROTO_UDP)
return -1; return -1;
if (ip6h->hop_limit <= 1)
return -1;
thoff = sizeof(*ip6h); thoff = sizeof(*ip6h);
if (!pskb_may_pull(skb, thoff + sizeof(*ports))) if (!pskb_may_pull(skb, thoff + sizeof(*ports)))
return -1; return -1;