]> www.infradead.org Git - users/willy/xarray.git/commit
projects / users / willy / xarray.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: 77b3371) | patch
netfilter: nft_payload: don't allow th access for fragments
authorFlorian Westphal <fw@strlen.de>
Sat, 29 Jan 2022 16:13:23 +0000 (17:13 +0100)
committerPablo Neira Ayuso <pablo@netfilter.org>
Fri, 4 Feb 2022 04:38:15 +0000 (05:38 +0100)
commita9e8503def0fd4ed89ade1f61c315f904581d439
tree7e7678e27bded2e65072d96af8f9a227f5cca3abtree
parent77b337196a9d87f3d6bb9b07c0436ecafbffda1ecommit | diff
netfilter: nft_payload: don't allow th access for fragments

Loads relative to ->thoff naturally expect that this points to the
transport header, but this is only true if pkt->fragoff == 0.

This has little effect for rulesets with connection tracking/nat because
these enable ip defra. For other rulesets this prevents false matches.

Fixes: 96518518cc41 ("netfilter: add nftables")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/netfilter/nft_exthdr.c diff | blob | history
net/netfilter/nft_payload.c diff | blob | history
XArray, radix tree and IDR