netfilter: nft_exthdr: check for IPv6 packet before further processing

ipv6_find_hdr() does not validate that this is an IPv6 packet. Add a sanity check for calling ipv6_find_hdr() to make sure an IPv6 packet is passed for parsing. Fixes: 96518518cc41 ("netfilter: add nftables") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2021-06-10 20:20:30 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2021-06-16 20:51:50 +0200
commit: cdd73cc545c0fb9b1a1f7b209f4f536e7990cff4 (patch)
tree: 54f088ff4225a9734981d24578bc2c67d266e10b /net/netfilter
parent: 8744365e258459775bd9b49b705a82d66a21c2b4 (diff)
download: linux-cdd73cc545c0fb9b1a1f7b209f4f536e7990cff4.tar.gz
linux-cdd73cc545c0fb9b1a1f7b209f4f536e7990cff4.tar.bz2
linux-cdd73cc545c0fb9b1a1f7b209f4f536e7990cff4.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
index f64f0017e9a5..670dd146fb2b 100644
--- a/net/netfilter/nft_exthdr.c
+++ b/net/netfilter/nft_exthdr.c
@@ -42,6 +42,9 @@ static void nft_exthdr_ipv6_eval(const struct nft_expr *expr,
 	unsigned int offset = 0;
 	int err;
 
+	if (pkt->skb->protocol != htons(ETH_P_IPV6))
+		goto err;
+
 	err = ipv6_find_hdr(pkt->skb, &offset, priv->type, NULL, NULL);
 	if (priv->flags & NFT_EXTHDR_F_PRESENT) {
 		nft_reg_store8(dest, err >= 0);
author	Pablo Neira Ayuso <pablo@netfilter.org>	2021-06-10 20:20:30 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2021-06-16 20:51:50 +0200
commit	cdd73cc545c0fb9b1a1f7b209f4f536e7990cff4 (patch)
tree	54f088ff4225a9734981d24578bc2c67d266e10b /net/netfilter
parent	8744365e258459775bd9b49b705a82d66a21c2b4 (diff)
download	linux-cdd73cc545c0fb9b1a1f7b209f4f536e7990cff4.tar.gz linux-cdd73cc545c0fb9b1a1f7b209f4f536e7990cff4.tar.bz2 linux-cdd73cc545c0fb9b1a1f7b209f4f536e7990cff4.zip