netfilter: nf_queue: do not allow packet truncation below transport header offset - kernel/linux.git

diff options

author	Florian Westphal <fw@strlen.de>	2022-07-26 13:42:06 +0300
committer	Florian Westphal <fw@strlen.de>	2022-07-26 22:12:42 +0300
commit	99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164 (patch)
tree	3c552bf8a966f236cf0bfb778f4b3a945150b2cc /net/rxrpc/local_object.c
parent	9b134b1694ec8926926ba6b7b80884ea829245a0 (diff)
download	linux-99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164.tar.xz

netfilter: nf_queue: do not allow packet truncation below transport header offset

Domingo Dirutigliano and Nicola Guerrera report kernel panic when sending nf_queue verdict with 1-byte nfta_payload attribute. The IP/IPv6 stack pulls the IP(v6) header from the packet after the input hook. If user truncates the packet below the header size, this skb_pull() will result in a malformed skb (skb->len < 0). Fixes: 7af4cc3fa158 ("[NETFILTER]: Add "nfnetlink_queue" netfilter queue handler over nfnetlink") Reported-by: Domingo Dirutigliano <pwnzer0tt1@proton.me> Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>

Diffstat (limited to 'net/rxrpc/local_object.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: