[thirdparty/kernel/stable-queue.git] / releases / 4.19.51 / netfilter-nf_flow_table-check-ttl-value-in-flow-offl.patch

From 806de2ef475499053e70927728e7b0c6c24b99a2 Mon Sep 17 00:00:00 2001
From: Taehee Yoo <ap420073@gmail.com>
Date: Tue, 30 Apr 2019 01:55:54 +0900
Subject: netfilter: nf_flow_table: check ttl value in flow offload data path

[ Upstream commit 33cc3c0cfa64c86b6c4bbee86997aea638534931 ]

nf_flow_offload_ip_hook() and nf_flow_offload_ipv6_hook() do not check
ttl value. So, ttl value overflow may occur.

Fixes: 97add9f0d66d ("netfilter: flow table support for IPv4")
Fixes: 0995210753a2 ("netfilter: flow table support for IPv6")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/nf_flow_table_ip.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
index 15ed91309992..129e9ec99ec9 100644
--- a/net/netfilter/nf_flow_table_ip.c
+++ b/net/netfilter/nf_flow_table_ip.c
@@ -181,6 +181,9 @@ static int nf_flow_tuple_ip(struct sk_buff *skb, const struct net_device *dev,
 	    iph->protocol != IPPROTO_UDP)
 		return -1;
 
+	if (iph->ttl <= 1)
+		return -1;
+
 	thoff = iph->ihl * 4;
 	if (!pskb_may_pull(skb, thoff + sizeof(*ports)))
 		return -1;
@@ -412,6 +415,9 @@ static int nf_flow_tuple_ipv6(struct sk_buff *skb, const struct net_device *dev,
 	    ip6h->nexthdr != IPPROTO_UDP)
 		return -1;
 
+	if (ip6h->hop_limit <= 1)
+		return -1;
+
 	thoff = sizeof(*ip6h);
 	if (!pskb_may_pull(skb, thoff + sizeof(*ports)))
 		return -1;
-- 
2.20.1
Commit	Line	Data
37554d48 SL	1	From 806de2ef475499053e70927728e7b0c6c24b99a2 Mon Sep 17 00:00:00 2001
	2	From: Taehee Yoo <ap420073@gmail.com>
	3	Date: Tue, 30 Apr 2019 01:55:54 +0900
	4	Subject: netfilter: nf_flow_table: check ttl value in flow offload data path
	5
	6	[ Upstream commit 33cc3c0cfa64c86b6c4bbee86997aea638534931 ]
	7
	8	nf_flow_offload_ip_hook() and nf_flow_offload_ipv6_hook() do not check
	9	ttl value. So, ttl value overflow may occur.
	10
	11	Fixes: 97add9f0d66d ("netfilter: flow table support for IPv4")
	12	Fixes: 0995210753a2 ("netfilter: flow table support for IPv6")
	13	Signed-off-by: Taehee Yoo <ap420073@gmail.com>
	14	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
	15	Signed-off-by: Sasha Levin <sashal@kernel.org>
	16	---
	17	net/netfilter/nf_flow_table_ip.c \| 6 ++++++
	18	1 file changed, 6 insertions(+)
	19
	20	diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
	21	index 15ed91309992..129e9ec99ec9 100644
	22	--- a/net/netfilter/nf_flow_table_ip.c
	23	+++ b/net/netfilter/nf_flow_table_ip.c
	24	@@ -181,6 +181,9 @@ static int nf_flow_tuple_ip(struct sk_buff skb, const struct net_device dev,
	25	iph->protocol != IPPROTO_UDP)
	26	return -1;
	27
	28	+ if (iph->ttl <= 1)
	29	+ return -1;
	30	+
	31	thoff = iph->ihl * 4;
	32	if (!pskb_may_pull(skb, thoff + sizeof(*ports)))
	33	return -1;
	34	@@ -412,6 +415,9 @@ static int nf_flow_tuple_ipv6(struct sk_buff skb, const struct net_device dev,
	35	ip6h->nexthdr != IPPROTO_UDP)
	36	return -1;
	37
	38	+ if (ip6h->hop_limit <= 1)
	39	+ return -1;
	40	+
	41	thoff = sizeof(*ip6h);
	42	if (!pskb_may_pull(skb, thoff + sizeof(*ports)))
	43	return -1;
	44	--
	45	2.20.1
	46