diff options
| author | Florian Westphal <fw@strlen.de> | 2022-01-29 17:13:23 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-02-04 05:38:15 +0100 |
| commit | a9e8503def0fd4ed89ade1f61c315f904581d439 (patch) | |
| tree | 7e7678e27bded2e65072d96af8f9a227f5cca3ab /net/netfilter/nft_exthdr.c | |
| parent | 77b337196a9d87f3d6bb9b07c0436ecafbffda1e (diff) | |
| download | linux-a9e8503def0fd4ed89ade1f61c315f904581d439.tar.gz | |
netfilter: nft_payload: don't allow th access for fragments
Loads relative to ->thoff naturally expect that this points to the
transport header, but this is only true if pkt->fragoff == 0.
This has little effect for rulesets with connection tracking/nat because
these enable ip defra. For other rulesets this prevents false matches.
Fixes: 96518518cc41 ("netfilter: add nftables")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter/nft_exthdr.c')
| -rw-r--r-- | net/netfilter/nft_exthdr.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c index dbe1f2e7dd9ed6..9e927ab4df1510 100644 --- a/net/netfilter/nft_exthdr.c +++ b/net/netfilter/nft_exthdr.c @@ -167,7 +167,7 @@ nft_tcp_header_pointer(const struct nft_pktinfo *pkt, { struct tcphdr *tcph; - if (pkt->tprot != IPPROTO_TCP) + if (pkt->tprot != IPPROTO_TCP || pkt->fragoff) return NULL; tcph = skb_header_pointer(pkt->skb, nft_thoff(pkt), sizeof(*tcph), buffer); |