summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorTaehee Yoo <ap420073@gmail.com>2019-04-29 18:55:54 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2019-04-30 13:56:19 +0200
commit33cc3c0cfa64c86b6c4bbee86997aea638534931 (patch)
tree8bfaf82f1fc93007863fb85b1ae2146600357497 /net
parentnetfilter: nf_flow_table: fix netdev refcnt leak (diff)
downloadlinux-33cc3c0cfa64c86b6c4bbee86997aea638534931.tar.xz
linux-33cc3c0cfa64c86b6c4bbee86997aea638534931.zip
netfilter: nf_flow_table: check ttl value in flow offload data path
nf_flow_offload_ip_hook() and nf_flow_offload_ipv6_hook() do not check ttl value. So, ttl value overflow may occur. Fixes: 97add9f0d66d ("netfilter: flow table support for IPv4") Fixes: 0995210753a2 ("netfilter: flow table support for IPv6") Signed-off-by: Taehee Yoo <ap420073@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
-rw-r--r--net/netfilter/nf_flow_table_ip.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
index 1d291a51cd45..46022a2867d7 100644
--- a/net/netfilter/nf_flow_table_ip.c
+++ b/net/netfilter/nf_flow_table_ip.c
@@ -181,6 +181,9 @@ static int nf_flow_tuple_ip(struct sk_buff *skb, const struct net_device *dev,
iph->protocol != IPPROTO_UDP)
return -1;
+ if (iph->ttl <= 1)
+ return -1;
+
thoff = iph->ihl * 4;
if (!pskb_may_pull(skb, thoff + sizeof(*ports)))
return -1;
@@ -411,6 +414,9 @@ static int nf_flow_tuple_ipv6(struct sk_buff *skb, const struct net_device *dev,
ip6h->nexthdr != IPPROTO_UDP)
return -1;
+ if (ip6h->hop_limit <= 1)
+ return -1;
+
thoff = sizeof(*ip6h);
if (!pskb_may_pull(skb, thoff + sizeof(*ports)))
return -1;