projects / GitHub / LineageOS / android_kernel_motorola_exynos9610.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9ee832d)
netfilter: nft_payload: do not truncate csum_offset and csum_type
authorPablo Neira Ayuso <pablo@netfilter.org>
Sun, 21 Aug 2022 09:55:19 +0000 (11:55 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 5 Sep 2022 08:25:03 +0000 (10:25 +0200)
[ Upstream commit 7044ab281febae9e2fa9b0b247693d6026166293 ]

Instead report ERANGE if csum_offset is too long, and EOPNOTSUPP if type
is not support.

Fixes: 7ec3f7b47b8d ("netfilter: nft_payload: add packet mangling support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
net/netfilter/nft_payload.c patch | blob | blame | history

diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
index 04b9df9e39554bc4a118ba7a6c3ef90baddf3b54..5732b32ab9320075f3dd92a223eed537c9d02074 100644 (file)
--- a/net/netfilter/nft_payload.c
+++ b/net/netfilter/nft_payload.c
@@ -332,6 +332,8 @@ static int nft_payload_set_init(const struct nft_ctx *ctx,
                                const struct nlattr * const tb[])
 {
        struct nft_payload_set *priv = nft_expr_priv(expr);
+       u32 csum_offset, csum_type = NFT_PAYLOAD_CSUM_NONE;
+       int err;
 
        priv->base        = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_BASE]));
        priv->offset      = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_OFFSET]));
@@ -339,11 +341,15 @@ static int nft_payload_set_init(const struct nft_ctx *ctx,
        priv->sreg        = nft_parse_register(tb[NFTA_PAYLOAD_SREG]);
 
        if (tb[NFTA_PAYLOAD_CSUM_TYPE])
-               priv->csum_type =
-                       ntohl(nla_get_be32(tb[NFTA_PAYLOAD_CSUM_TYPE]));
-       if (tb[NFTA_PAYLOAD_CSUM_OFFSET])
-               priv->csum_offset =
-                       ntohl(nla_get_be32(tb[NFTA_PAYLOAD_CSUM_OFFSET]));
+               csum_type = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_CSUM_TYPE]));
+       if (tb[NFTA_PAYLOAD_CSUM_OFFSET]) {
+               err = nft_parse_u32_check(tb[NFTA_PAYLOAD_CSUM_OFFSET], U8_MAX,
+                                         &csum_offset);
+               if (err < 0)
+                       return err;
+
+               priv->csum_offset = csum_offset;
+       }
        if (tb[NFTA_PAYLOAD_CSUM_FLAGS]) {
                u32 flags;
 
@@ -354,13 +360,14 @@ static int nft_payload_set_init(const struct nft_ctx *ctx,
                priv->csum_flags = flags;
        }
 
-       switch (priv->csum_type) {
+       switch (csum_type) {
        case NFT_PAYLOAD_CSUM_NONE:
        case NFT_PAYLOAD_CSUM_INET:
                break;
        default:
                return -EOPNOTSUPP;
        }
+       priv->csum_type = csum_type;
 
        return nft_validate_register_load(priv->sreg, priv->len);
 }