]> git.baikalelectronics.ru Git - kernel.git/commit
projects / kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: f313364) | patch
netfilter: nft_payload: don't allow th access for fragments
authorFlorian Westphal <fw@strlen.de>
Sat, 29 Jan 2022 16:13:23 +0000 (17:13 +0100)
committerPablo Neira Ayuso <pablo@netfilter.org>
Fri, 4 Feb 2022 04:38:15 +0000 (05:38 +0100)
commit337f19dbe67afcffa7f81aaf6b35578e1813ca78
tree7e7678e27bded2e65072d96af8f9a227f5cca3abtree | snapshot
parentf313364d2e406008e7696d4c2bb784e5be3fa27ccommit | diff
netfilter: nft_payload: don't allow th access for fragments

Loads relative to ->thoff naturally expect that this points to the
transport header, but this is only true if pkt->fragoff == 0.

This has little effect for rulesets with connection tracking/nat because
these enable ip defra. For other rulesets this prevents false matches.

Fixes: 4a4835e91e03 ("netfilter: add nftables")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/netfilter/nft_exthdr.c diff | blob | history
net/netfilter/nft_payload.c diff | blob | history
Linux Kernel Source Tree.