--- /dev/null
+From 4e1860a3863707e8177329c006d10f9e37e097a8 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed, 5 Jan 2022 16:09:57 +0100
+Subject: netfilter: nft_payload: do not update layer 4 checksum when mangling fragments
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 4e1860a3863707e8177329c006d10f9e37e097a8 upstream.
+
+IP fragments do not come with the transport header, hence skip bogus
+layer 4 checksum updates.
+
+Fixes: 1814096980bb ("netfilter: nft_payload: layer 4 checksum adjustment for pseudoheader fields")
+Reported-and-tested-by: Steffen Weinreich <steve@weinreich.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_payload.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/netfilter/nft_payload.c
++++ b/net/netfilter/nft_payload.c
+@@ -194,6 +194,9 @@ static int nft_payload_l4csum_offset(con
+ struct sk_buff *skb,
+ unsigned int *l4csum_offset)
+ {
++ if (pkt->xt.fragoff)
++ return -1;
++
+ switch (pkt->tprot) {
+ case IPPROTO_TCP:
+ *l4csum_offset = offsetof(struct tcphdr, check);
udf-fix-null-ptr-deref-when-converting-from-inline-format.patch
pm-wakeup-simplify-the-output-logic-of-pm_show_wakelocks.patch
drm-etnaviv-relax-submit-size-limits.patch
+netfilter-nft_payload-do-not-update-layer-4-checksum-when-mangling-fragments.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
