netfilter: nf_flow_table: check ttl value in flow offload data path

[ Upstream commit 33cc3c0c ] nf_flow_offload_ip_hook() and nf_flow_offload_ipv6_hook() do not check ttl value. So, ttl value overflow may occur. Fixes: 97add9f0 ("netfilter: flow table support for IPv4") Fixes: 09952107 ("netfilter: flow table support for IPv6") Signed-off-by: Taehee Yoo <ap420073@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

netfilter: nf_flow_table: check ttl value in flow offload data path
[ Upstream commit 33cc3c0c ] nf_flow_offload_ip_hook() and nf_flow_offload_ipv6_hook() do not check ttl value. So, ttl value overflow may occur. Fixes: 97add9f0 ("netfilter: flow table support for IPv4") Fixes: 09952107 ("netfilter: flow table support for IPv6") Signed-off-by: Taehee Yoo <ap420073@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
c155f374 · Taehee Yoo · Greg Kroah-Hartman · c6508f86 · c155f374
Commit c155f374 authored Apr 30, 2019 by Taehee Yoo Committed by Greg Kroah-Hartman Jun 15, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

net/netfilter/nf_flow_table_ip.c net/netfilter/nf_flow_table_ip.c +6 -0

No files found.
--- a/net/netfilter/nf_flow_table_ip.c
+++ b/net/netfilter/nf_flow_table_ip.c
@@ -181,6 +181,9 @@ static int nf_flow_tuple_ip(struct sk_buff *skb, const struct net_device *dev,
 	    iph->protocol != IPPROTO_UDP)
 		return -1;

+	if (iph->ttl <= 1)
+		return -1;
+
 	thoff = iph->ihl * 4;
 	if (!pskb_may_pull(skb, thoff + sizeof(*ports)))
 		return -1;
@@ -411,6 +414,9 @@ static int nf_flow_tuple_ipv6(struct sk_buff *skb, const struct net_device *dev,
 	    ip6h->nexthdr != IPPROTO_UDP)
 		return -1;

+	if (ip6h->hop_limit <= 1)
+		return -1;
+
 	thoff = sizeof(*ip6h);
 	if (!pskb_may_pull(skb, thoff + sizeof(*ports)))
 		return -1;