| From ad9c7b5e44c15deef5bebc6106ed042863322f02 Mon Sep 17 00:00:00 2001 |
| From: Taehee Yoo <ap420073@gmail.com> |
| Date: Tue, 30 Apr 2019 01:55:54 +0900 |
| Subject: [PATCH] netfilter: nf_flow_table: check ttl value in flow offload |
| data path |
| |
| commit 33cc3c0cfa64c86b6c4bbee86997aea638534931 upstream. |
| |
| nf_flow_offload_ip_hook() and nf_flow_offload_ipv6_hook() do not check |
| ttl value. So, ttl value overflow may occur. |
| |
| Fixes: 97add9f0d66d ("netfilter: flow table support for IPv4") |
| Fixes: 0995210753a2 ("netfilter: flow table support for IPv6") |
| Signed-off-by: Taehee Yoo <ap420073@gmail.com> |
| Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c |
| index 15ed91309992..129e9ec99ec9 100644 |
| --- a/net/netfilter/nf_flow_table_ip.c |
| +++ b/net/netfilter/nf_flow_table_ip.c |
| @@ -181,6 +181,9 @@ static int nf_flow_tuple_ip(struct sk_buff *skb, const struct net_device *dev, |
| iph->protocol != IPPROTO_UDP) |
| return -1; |
| |
| + if (iph->ttl <= 1) |
| + return -1; |
| + |
| thoff = iph->ihl * 4; |
| if (!pskb_may_pull(skb, thoff + sizeof(*ports))) |
| return -1; |
| @@ -412,6 +415,9 @@ static int nf_flow_tuple_ipv6(struct sk_buff *skb, const struct net_device *dev, |
| ip6h->nexthdr != IPPROTO_UDP) |
| return -1; |
| |
| + if (ip6h->hop_limit <= 1) |
| + return -1; |
| + |
| thoff = sizeof(*ip6h); |
| if (!pskb_may_pull(skb, thoff + sizeof(*ports))) |
| return -1; |
| -- |
| 2.7.4 |
| |
