mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-13 14:24:11 +08:00
netfilter: nft_payload: sanitize offset and length before calling skb_checksum()
If access to offset + length is larger than the skbuff length, then
skb_checksum() triggers BUG_ON().
skb_checksum() internally subtracts the length parameter while iterating
over skbuff, BUG_ON(len) at the end of it checks that the expected
length to be included in the checksum calculation is fully consumed.
Fixes: 7ec3f7b47b
("netfilter: nft_payload: add packet mangling support")
Reported-by: Slavin Liu <slavin-ayu@qq.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
4ed234fe79
commit
d5953d680f
@ -904,6 +904,9 @@ static void nft_payload_set_eval(const struct nft_expr *expr,
|
||||
((priv->base != NFT_PAYLOAD_TRANSPORT_HEADER &&
|
||||
priv->base != NFT_PAYLOAD_INNER_HEADER) ||
|
||||
skb->ip_summed != CHECKSUM_PARTIAL)) {
|
||||
if (offset + priv->len > skb->len)
|
||||
goto err;
|
||||
|
||||
fsum = skb_checksum(skb, offset, priv->len, 0);
|
||||
tsum = csum_partial(src, priv->len, 0);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user