diff options
Diffstat (limited to 'queue-5.15/netfilter-flowtable-validate-pppoe-header.patch')
| -rw-r--r-- | queue-5.15/netfilter-flowtable-validate-pppoe-header.patch | 106 |
1 files changed, 106 insertions, 0 deletions
diff --git a/queue-5.15/netfilter-flowtable-validate-pppoe-header.patch b/queue-5.15/netfilter-flowtable-validate-pppoe-header.patch new file mode 100644 index 0000000000..8e7973e2af --- /dev/null +++ b/queue-5.15/netfilter-flowtable-validate-pppoe-header.patch @@ -0,0 +1,106 @@ +From 3502d405ac432b3ec4ee9c0a410d5696951fdb3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Tue, 9 Apr 2024 13:47:33 +0200 +Subject: netfilter: flowtable: validate pppoe header + +From: Pablo Neira Ayuso <pablo@netfilter.org> + +[ Upstream commit 87b3593bed1868b2d9fe096c01bcdf0ea86cbebf ] + +Ensure there is sufficient room to access the protocol field of the +PPPoe header. Validate it once before the flowtable lookup, then use a +helper function to access protocol field. + +Reported-by: syzbot+b6f07e1c07ef40199081@syzkaller.appspotmail.com +Fixes: 72efd585f714 ("netfilter: flowtable: add pppoe support") +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + include/net/netfilter/nf_flow_table.h | 12 +++++++++++- + net/netfilter/nf_flow_table_inet.c | 3 ++- + net/netfilter/nf_flow_table_ip.c | 8 +++++--- + 3 files changed, 18 insertions(+), 5 deletions(-) + +diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h +index 6cc0cfbf69b86..8e98fb8edff8d 100644 +--- a/include/net/netfilter/nf_flow_table.h ++++ b/include/net/netfilter/nf_flow_table.h +@@ -318,7 +318,7 @@ int nf_flow_rule_route_ipv6(struct net *net, const struct flow_offload *flow, + int nf_flow_table_offload_init(void); + void nf_flow_table_offload_exit(void); + +-static inline __be16 nf_flow_pppoe_proto(const struct sk_buff *skb) ++static inline __be16 __nf_flow_pppoe_proto(const struct sk_buff *skb) + { + __be16 proto; + +@@ -334,6 +334,16 @@ static inline __be16 nf_flow_pppoe_proto(const struct sk_buff *skb) + return 0; + } + ++static inline bool nf_flow_pppoe_proto(struct sk_buff *skb, __be16 *inner_proto) ++{ ++ if (!pskb_may_pull(skb, PPPOE_SES_HLEN)) ++ return false; ++ ++ *inner_proto = __nf_flow_pppoe_proto(skb); ++ ++ return true; ++} ++ + #define NF_FLOW_TABLE_STAT_INC(net, count) __this_cpu_inc((net)->ft.stat->count) + #define NF_FLOW_TABLE_STAT_DEC(net, count) __this_cpu_dec((net)->ft.stat->count) + #define NF_FLOW_TABLE_STAT_INC_ATOMIC(net, count) \ +diff --git a/net/netfilter/nf_flow_table_inet.c b/net/netfilter/nf_flow_table_inet.c +index 280fdd32965f6..6783ea220f8fe 100644 +--- a/net/netfilter/nf_flow_table_inet.c ++++ b/net/netfilter/nf_flow_table_inet.c +@@ -21,7 +21,8 @@ nf_flow_offload_inet_hook(void *priv, struct sk_buff *skb, + proto = veth->h_vlan_encapsulated_proto; + break; + case htons(ETH_P_PPP_SES): +- proto = nf_flow_pppoe_proto(skb); ++ if (!nf_flow_pppoe_proto(skb, &proto)) ++ return NF_ACCEPT; + break; + default: + proto = skb->protocol; +diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c +index 28026467b54cd..448956fb52f69 100644 +--- a/net/netfilter/nf_flow_table_ip.c ++++ b/net/netfilter/nf_flow_table_ip.c +@@ -246,10 +246,11 @@ static unsigned int nf_flow_xmit_xfrm(struct sk_buff *skb, + return NF_STOLEN; + } + +-static bool nf_flow_skb_encap_protocol(const struct sk_buff *skb, __be16 proto, ++static bool nf_flow_skb_encap_protocol(struct sk_buff *skb, __be16 proto, + u32 *offset) + { + struct vlan_ethhdr *veth; ++ __be16 inner_proto; + + switch (skb->protocol) { + case htons(ETH_P_8021Q): +@@ -260,7 +261,8 @@ static bool nf_flow_skb_encap_protocol(const struct sk_buff *skb, __be16 proto, + } + break; + case htons(ETH_P_PPP_SES): +- if (nf_flow_pppoe_proto(skb) == proto) { ++ if (nf_flow_pppoe_proto(skb, &inner_proto) && ++ inner_proto == proto) { + *offset += PPPOE_SES_HLEN; + return true; + } +@@ -289,7 +291,7 @@ static void nf_flow_encap_pop(struct sk_buff *skb, + skb_reset_network_header(skb); + break; + case htons(ETH_P_PPP_SES): +- skb->protocol = nf_flow_pppoe_proto(skb); ++ skb->protocol = __nf_flow_pppoe_proto(skb); + skb_pull(skb, PPPOE_SES_HLEN); + skb_reset_network_header(skb); + break; +-- +2.43.0 + |