1 |
From 12394e1b36151809f15c2ee835233dfe252e8fb1 Mon Sep 17 00:00:00 2001 |
2 |
From: Sasha Levin <sashal@kernel.org> |
3 |
Date: Sun, 21 Aug 2022 11:55:19 +0200 |
4 |
Subject: netfilter: nft_payload: do not truncate csum_offset and csum_type |
5 |
|
6 |
From: Pablo Neira Ayuso <pablo@netfilter.org> |
7 |
|
8 |
[ Upstream commit 7044ab281febae9e2fa9b0b247693d6026166293 ] |
9 |
|
10 |
Instead report ERANGE if csum_offset is too long, and EOPNOTSUPP if type |
11 |
is not support. |
12 |
|
13 |
Fixes: 7ec3f7b47b8d ("netfilter: nft_payload: add packet mangling support") |
14 |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
15 |
Signed-off-by: Sasha Levin <sashal@kernel.org> |
16 |
--- |
17 |
net/netfilter/nft_payload.c | 19 +++++++++++++------ |
18 |
1 file changed, 13 insertions(+), 6 deletions(-) |
19 |
|
20 |
diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c |
21 |
index 4fee67abfe2c5..eb0e40c297121 100644 |
22 |
--- a/net/netfilter/nft_payload.c |
23 |
+++ b/net/netfilter/nft_payload.c |
24 |
@@ -740,17 +740,23 @@ static int nft_payload_set_init(const struct nft_ctx *ctx, |
25 |
const struct nlattr * const tb[]) |
26 |
{ |
27 |
struct nft_payload_set *priv = nft_expr_priv(expr); |
28 |
+ u32 csum_offset, csum_type = NFT_PAYLOAD_CSUM_NONE; |
29 |
+ int err; |
30 |
|
31 |
priv->base = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_BASE])); |
32 |
priv->offset = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_OFFSET])); |
33 |
priv->len = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_LEN])); |
34 |
|
35 |
if (tb[NFTA_PAYLOAD_CSUM_TYPE]) |
36 |
- priv->csum_type = |
37 |
- ntohl(nla_get_be32(tb[NFTA_PAYLOAD_CSUM_TYPE])); |
38 |
- if (tb[NFTA_PAYLOAD_CSUM_OFFSET]) |
39 |
- priv->csum_offset = |
40 |
- ntohl(nla_get_be32(tb[NFTA_PAYLOAD_CSUM_OFFSET])); |
41 |
+ csum_type = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_CSUM_TYPE])); |
42 |
+ if (tb[NFTA_PAYLOAD_CSUM_OFFSET]) { |
43 |
+ err = nft_parse_u32_check(tb[NFTA_PAYLOAD_CSUM_OFFSET], U8_MAX, |
44 |
+ &csum_offset); |
45 |
+ if (err < 0) |
46 |
+ return err; |
47 |
+ |
48 |
+ priv->csum_offset = csum_offset; |
49 |
+ } |
50 |
if (tb[NFTA_PAYLOAD_CSUM_FLAGS]) { |
51 |
u32 flags; |
52 |
|
53 |
@@ -761,7 +767,7 @@ static int nft_payload_set_init(const struct nft_ctx *ctx, |
54 |
priv->csum_flags = flags; |
55 |
} |
56 |
|
57 |
- switch (priv->csum_type) { |
58 |
+ switch (csum_type) { |
59 |
case NFT_PAYLOAD_CSUM_NONE: |
60 |
case NFT_PAYLOAD_CSUM_INET: |
61 |
break; |
62 |
@@ -775,6 +781,7 @@ static int nft_payload_set_init(const struct nft_ctx *ctx, |
63 |
default: |
64 |
return -EOPNOTSUPP; |
65 |
} |
66 |
+ priv->csum_type = csum_type; |
67 |
|
68 |
return nft_parse_register_load(tb[NFTA_PAYLOAD_SREG], &priv->sreg, |
69 |
priv->len); |
70 |
-- |
71 |
2.35.1 |
72 |
|