Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
netfilter: nft_payload: rebuild vlan header on h_proto access
nft can perform merging of adjacent payload requests.
This means that:
ether saddr 00:11 ... ether type 8021ad ...
is a single payload expression, for 8 bytes, starting at the
ethernet source offset.
Check that offset+length is fully within the source/destination mac
addersses.
This bug prevents 'ether type' from matching the correct h_proto in case
vlan tag got stripped.
Fixes: de6843be3082 ("netfilter: nft_payload: rebuild vlan header when needed")
Reported-by: David Ward <david.ward@ll.mit.edu>
Signed-off-by: Florian Westphal <fw@strlen.de>
+12
-1
+12
-1
net/netfilter/nft_payload.c
+12
-1
net/netfilter/nft_payload.c
···
154
154
return pkt->inneroff;
155
155
}
156
156
157
+
static bool nft_payload_need_vlan_copy(const struct nft_payload *priv)
158
+
{
159
+
unsigned int len = priv->offset + priv->len;
160
+
161
+
/* data past ether src/dst requested, copy needed */
162
+
if (len > offsetof(struct ethhdr, h_proto))
163
+
return true;
164
+
165
+
return false;
166
+
}
167
+
157
168
void nft_payload_eval(const struct nft_expr *expr,
158
169
struct nft_regs *regs,
159
170
const struct nft_pktinfo *pkt)
···
183
172
goto err;
184
173
185
174
if (skb_vlan_tag_present(skb) &&
186
-
priv->offset >= offsetof(struct ethhdr, h_proto)) {
175
+
nft_payload_need_vlan_copy(priv)) {
187
176
if (!nft_payload_copy_vlan(dest, skb,
188
177
priv->offset, priv->len))
189
178
goto err;