netfilter: flowtable: Validate iph->ihl in nf_flow_ip4_tunnel_proto()

Add sanity check for iph->ihl field in nf_flow_ip4_tunnel_proto() before
using it to compute the header size, avoiding out-of-bounds access with
malformed IP headers.
While at it, use iph->protocol instead of the hardcoded IPPROTO_IPIP
constant when setting ctx->tun.proto and reference ctx->tun.hdr_size
when updating ctx->offset.

Fixes: ab427db178858 ("netfilter: flowtable: Add IPIP rx sw acceleration")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
index e7a3fb2b2d94661f2adbf55d6bc2c70fbbacea2d..29e93ac1e2e4000bab8c532a7fbe7c9e441bb32c 100644 (file)
--- a/net/netfilter/nf_flow_table_ip.c
+++ b/net/netfilter/nf_flow_table_ip.c
@@ -326,8 +326,10 @@ static bool nf_flow_ip4_tunnel_proto(struct nf_flowtable_ctx *ctx,
                return false;
 
        iph = (struct iphdr *)(skb_network_header(skb) + ctx->offset);
-       size = iph->ihl << 2;
+       if (iph->ihl < 5)
+               return false;
 
+       size = iph->ihl << 2;
        if (ip_is_fragment(iph) || unlikely(ip_has_options(size)))
                return false;
 
@@ -335,9 +337,9 @@ static bool nf_flow_ip4_tunnel_proto(struct nf_flowtable_ctx *ctx,
                return false;
 
        if (iph->protocol == IPPROTO_IPIP) {
-               ctx->tun.proto = IPPROTO_IPIP;
+               ctx->tun.proto = iph->protocol;
                ctx->tun.hdr_size = size;
-               ctx->offset += size;
+               ctx->offset += ctx->tun.hdr_size;
        }
 
        return true;