releases/4.19.51/netfilter-nf_flow_table-check-ttl-value-in-flow-offl.patch

   1 From 806de2ef475499053e70927728e7b0c6c24b99a2 Mon Sep 17 00:00:00 2001
   2 From: Taehee Yoo <ap420073@gmail.com>
   3 Date: Tue, 30 Apr 2019 01:55:54 +0900
   4 Subject: netfilter: nf_flow_table: check ttl value in flow offload data path
   5
   6 [ Upstream commit 33cc3c0cfa64c86b6c4bbee86997aea638534931 ]
   7
   8 nf_flow_offload_ip_hook() and nf_flow_offload_ipv6_hook() do not check
   9 ttl value. So, ttl value overflow may occur.
  10
  11 Fixes: 97add9f0d66d ("netfilter: flow table support for IPv4")
  12 Fixes: 0995210753a2 ("netfilter: flow table support for IPv6")
  13 Signed-off-by: Taehee Yoo <ap420073@gmail.com>
  14 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  15 Signed-off-by: Sasha Levin <sashal@kernel.org>
  16 ---
  17  net/netfilter/nf_flow_table_ip.c | 6 ++++++
  18  1 file changed, 6 insertions(+)
  19
  20 diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
  21 index 15ed91309992..129e9ec99ec9 100644
  22 --- a/net/netfilter/nf_flow_table_ip.c
  23 +++ b/net/netfilter/nf_flow_table_ip.c
  24 @@ -181,6 +181,9 @@ static int nf_flow_tuple_ip(struct sk_buff *skb, const struct net_device *dev,
  25             iph->protocol != IPPROTO_UDP)
  26                 return -1;
  27
  28 +       if (iph->ttl <= 1)
  29 +               return -1;
  30 +
  31         thoff = iph->ihl * 4;
  32         if (!pskb_may_pull(skb, thoff + sizeof(*ports)))
  33                 return -1;
  34 @@ -412,6 +415,9 @@ static int nf_flow_tuple_ipv6(struct sk_buff *skb, const struct net_device *dev,
  35             ip6h->nexthdr != IPPROTO_UDP)
  36                 return -1;
  37
  38 +       if (ip6h->hop_limit <= 1)
  39 +               return -1;
  40 +
  41         thoff = sizeof(*ip6h);
  42         if (!pskb_may_pull(skb, thoff + sizeof(*ports)))
  43                 return -1;
  44 --
  45 2.20.1
  46