netfilter: nfnetlink_osf: fix possible bogus match in nf_osf_find()

[ Upstream commit 559c36c5a8d730c49ef805a72b213d3bba155cc8 ] nf_osf_find() incorrectly returns true on mismatch, this leads to copying uninitialized memory area in nft_osf which can be used to leak stale kernel stack data to userspace. Fixes: 22c7652cdaa8 ("netfilter: nft_osf: Add version option support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2022-09-07 11:26:18 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-09-28 12:04:05 +0300
commit: 721ea8ac063d70c2078c4e762212705de6151764 (patch)
tree: 424d91ab7d5281a3579bb9c084b453e4328b9a59
parent: d0a24bc8e2aa703030d80affa3e5237fe3ad4dd2 (diff)
download: linux-721ea8ac063d70c2078c4e762212705de6151764.tar.xz
1 files changed, 3 insertions, 1 deletions
diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
index 79fbf37291f3..51e3953b414c 100644
--- a/net/netfilter/nfnetlink_osf.c
+++ b/net/netfilter/nfnetlink_osf.c
@@ -269,6 +269,7 @@ bool nf_osf_find(const struct sk_buff *skb,
 	struct nf_osf_hdr_ctx ctx;
 	const struct tcphdr *tcp;
 	struct tcphdr _tcph;
+	bool found = false;
 
 	memset(&ctx, 0, sizeof(ctx));
 
@@ -283,10 +284,11 @@ bool nf_osf_find(const struct sk_buff *skb,
 
 		data->genre = f->genre;
 		data->version = f->version;
+		found = true;
 		break;
 	}
 
-	return true;
+	return found;
 }
 EXPORT_SYMBOL_GPL(nf_osf_find);
author	Pablo Neira Ayuso <pablo@netfilter.org>	2022-09-07 11:26:18 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2022-09-28 12:04:05 +0300
commit	721ea8ac063d70c2078c4e762212705de6151764 (patch)
tree	424d91ab7d5281a3579bb9c084b453e4328b9a59
parent	d0a24bc8e2aa703030d80affa3e5237fe3ad4dd2 (diff)
download	linux-721ea8ac063d70c2078c4e762212705de6151764.tar.xz