netfilter: nft_payload: fix wrong mac header matching

mcast packets get looped back to the local machine. Such packets have a 0-length mac header, we should treat this like "mac header not set" and abort rule evaluation. As-is, we just copy data from the network header instead. Fixes: 96518518 ("netfilter: add nftables") Reported-by: Blažej Krajňák <krajnak@levonet.sk> Signed-off-by: Florian Westphal <fw@strlen.de>

netfilter: nft_payload: fix wrong mac header matching
mcast packets get looped back to the local machine. Such packets have a 0-length mac header, we should treat this like "mac header not set" and abort rule evaluation. As-is, we just copy data from the network header instead. Fixes: 96518518 ("netfilter: add nftables") Reported-by: Blažej Krajňák <krajnak@levonet.sk> Signed-off-by: Florian Westphal <fw@strlen.de>
d351c1ea · Florian Westphal · 505ce063 · d351c1ea
Commit d351c1ea authored Oct 08, 2023 by Florian Westphal
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

net/netfilter/nft_payload.c net/netfilter/nft_payload.c +1 -1

No files found.
--- a/net/netfilter/nft_payload.c
+++ b/net/netfilter/nft_payload.c
@@ -179,7 +179,7 @@ void nft_payload_eval(const struct nft_expr *expr,

 	switch (priv->base) {
 	case NFT_PAYLOAD_LL_HEADER:
-		if (!skb_mac_header_was_set(skb))
+		if (!skb_mac_header_was_set(skb) || skb_mac_header_len(skb) == 0)
 			goto err;

 		if (skb_vlan_tag_present(skb) &&