netfilter: conntrack: add missing netlink policy validations - kernel/linux.git

diff options

author	Florian Westphal <fw@strlen.de>	2026-03-10 02:28:29 +0300
committer	Florian Westphal <fw@strlen.de>	2026-03-13 17:31:14 +0300
commit	f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05 (patch)
tree	e1351acf4cc594a03f912f40dd7e0c1c2cb98fc2 /include
parent	5cb81eeda909dbb2def209dd10636b51549a3f8a (diff)
download	linux-f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05.tar.xz

netfilter: conntrack: add missing netlink policy validations

Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink. These attributes are used by the kernel without any validation. Extend the netlink policies accordingly. Quoting the reporter: nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE value directly to ct->proto.sctp.state without checking that it is within the valid range. [..] and: ... with exp->dir = 100, the access at ct->master->tuplehash[100] reads 5600 bytes past the start of a 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by UBSAN. Fixes: 076a0ca02644 ("netfilter: ctnetlink: add NAT support for expectations") Fixes: a258860e01b8 ("netfilter: ctnetlink: add full support for SCTP to ctnetlink") Reported-by: Hyunwoo Kim <imv4bel@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>

Diffstat (limited to 'include')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: