netfilter: don't track fragmented packets
authorFlorian Westphal <fw@strlen.de>
Fri, 3 Mar 2017 20:44:00 +0000 (21:44 +0100)
committerPablo Neira Ayuso <pablo@netfilter.org>
Wed, 8 Mar 2017 17:02:12 +0000 (18:02 +0100)
commit7b4fdf77a450ec0fdcb2f677b080ddbf2c186544
treec4bbce5d29dfa51fa2a5d02b657b432adbfea30a
parent8d70eeb84ab277377c017af6a21d0a337025dede
netfilter: don't track fragmented packets

Andrey reports syzkaller splat caused by

NF_CT_ASSERT(!ip_is_fragment(ip_hdr(skb)));

in ipv4 nat.  But this assertion (and the comment) are wrong, this function
does see fragments when IP_NODEFRAG setsockopt is used.

As conntrack doesn't track packets without complete l4 header, only the
first fragment is tracked.

Because applying nat to first packet but not the rest makes no sense this
also turns off tracking of all fragments.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
net/ipv4/netfilter/nf_nat_l3proto_ipv4.c