| From 5a646d4dbfeed10d6e5881dfdd2142dfeec88216 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Thu, 10 Jun 2021 20:20:30 +0200 |
| Subject: netfilter: nft_exthdr: check for IPv6 packet before further |
| processing |
| |
| From: Pablo Neira Ayuso <pablo@netfilter.org> |
| |
| [ Upstream commit cdd73cc545c0fb9b1a1f7b209f4f536e7990cff4 ] |
| |
| ipv6_find_hdr() does not validate that this is an IPv6 packet. Add a |
| sanity check for calling ipv6_find_hdr() to make sure an IPv6 packet |
| is passed for parsing. |
| |
| Fixes: 96518518cc41 ("netfilter: add nftables") |
| Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| net/netfilter/nft_exthdr.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c |
| index 3c48cdc8935d..faa0844c01fb 100644 |
| --- a/net/netfilter/nft_exthdr.c |
| +++ b/net/netfilter/nft_exthdr.c |
| @@ -42,6 +42,9 @@ static void nft_exthdr_ipv6_eval(const struct nft_expr *expr, |
| unsigned int offset = 0; |
| int err; |
| |
| + if (pkt->skb->protocol != htons(ETH_P_IPV6)) |
| + goto err; |
| + |
| err = ipv6_find_hdr(pkt->skb, &offset, priv->type, NULL, NULL); |
| if (priv->flags & NFT_EXTHDR_F_PRESENT) { |
| nft_reg_store8(dest, err >= 0); |
| -- |
| 2.30.2 |
| |