diff options
Diffstat (limited to 'target/linux/generic/backport-6.1/740-v6.9-01-netfilter-flowtable-validate-pppoe-header.patch')
| -rw-r--r-- | target/linux/generic/backport-6.1/740-v6.9-01-netfilter-flowtable-validate-pppoe-header.patch | 87 |
1 files changed, 0 insertions, 87 deletions
diff --git a/target/linux/generic/backport-6.1/740-v6.9-01-netfilter-flowtable-validate-pppoe-header.patch b/target/linux/generic/backport-6.1/740-v6.9-01-netfilter-flowtable-validate-pppoe-header.patch deleted file mode 100644 index 29f211e8a5..0000000000 --- a/target/linux/generic/backport-6.1/740-v6.9-01-netfilter-flowtable-validate-pppoe-header.patch +++ /dev/null @@ -1,87 +0,0 @@ -From: Pablo Neira Ayuso <pablo@netfilter.org> -Date: Thu, 11 Apr 2024 13:28:59 +0200 -Subject: [PATCH] netfilter: flowtable: validate pppoe header - -Ensure there is sufficient room to access the protocol field of the -PPPoe header. Validate it once before the flowtable lookup, then use a -helper function to access protocol field. - -Reported-by: syzbot+b6f07e1c07ef40199081@syzkaller.appspotmail.com -Fixes: 72efd585f714 ("netfilter: flowtable: add pppoe support") -Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> ---- - ---- a/include/net/netfilter/nf_flow_table.h -+++ b/include/net/netfilter/nf_flow_table.h -@@ -335,7 +335,7 @@ int nf_flow_rule_route_ipv6(struct net * - int nf_flow_table_offload_init(void); - void nf_flow_table_offload_exit(void); - --static inline __be16 nf_flow_pppoe_proto(const struct sk_buff *skb) -+static inline __be16 __nf_flow_pppoe_proto(const struct sk_buff *skb) - { - __be16 proto; - -@@ -351,6 +351,16 @@ static inline __be16 nf_flow_pppoe_proto - return 0; - } - -+static inline bool nf_flow_pppoe_proto(struct sk_buff *skb, __be16 *inner_proto) -+{ -+ if (!pskb_may_pull(skb, PPPOE_SES_HLEN)) -+ return false; -+ -+ *inner_proto = __nf_flow_pppoe_proto(skb); -+ -+ return true; -+} -+ - #define NF_FLOW_TABLE_STAT_INC(net, count) __this_cpu_inc((net)->ft.stat->count) - #define NF_FLOW_TABLE_STAT_DEC(net, count) __this_cpu_dec((net)->ft.stat->count) - #define NF_FLOW_TABLE_STAT_INC_ATOMIC(net, count) \ ---- a/net/netfilter/nf_flow_table_inet.c -+++ b/net/netfilter/nf_flow_table_inet.c -@@ -21,7 +21,8 @@ nf_flow_offload_inet_hook(void *priv, st - proto = veth->h_vlan_encapsulated_proto; - break; - case htons(ETH_P_PPP_SES): -- proto = nf_flow_pppoe_proto(skb); -+ if (!nf_flow_pppoe_proto(skb, &proto)) -+ return NF_ACCEPT; - break; - default: - proto = skb->protocol; ---- a/net/netfilter/nf_flow_table_ip.c -+++ b/net/netfilter/nf_flow_table_ip.c -@@ -267,10 +267,11 @@ static unsigned int nf_flow_xmit_xfrm(st - return NF_STOLEN; - } - --static bool nf_flow_skb_encap_protocol(const struct sk_buff *skb, __be16 proto, -+static bool nf_flow_skb_encap_protocol(struct sk_buff *skb, __be16 proto, - u32 *offset) - { - struct vlan_ethhdr *veth; -+ __be16 inner_proto; - - switch (skb->protocol) { - case htons(ETH_P_8021Q): -@@ -281,7 +282,8 @@ static bool nf_flow_skb_encap_protocol(c - } - break; - case htons(ETH_P_PPP_SES): -- if (nf_flow_pppoe_proto(skb) == proto) { -+ if (nf_flow_pppoe_proto(skb, &inner_proto) && -+ inner_proto == proto) { - *offset += PPPOE_SES_HLEN; - return true; - } -@@ -310,7 +312,7 @@ static void nf_flow_encap_pop(struct sk_ - skb_reset_network_header(skb); - break; - case htons(ETH_P_PPP_SES): -- skb->protocol = nf_flow_pppoe_proto(skb); -+ skb->protocol = __nf_flow_pppoe_proto(skb); - skb_pull(skb, PPPOE_SES_HLEN); - skb_reset_network_header(skb); - break; |