netfilter: nf_tables: avoid skb access on nf_stolen - starfive-tech/linux.git - StarFive Tech Linux Kernel for VisionFive (JH7110) boards (mirror)

diff options

author	Florian Westphal <fw@strlen.de>	2022-06-22 17:43:57 +0300
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2022-06-27 20:22:54 +0300
commit	e34b9ed96ce3b06c79bf884009b16961ca478f87 (patch)
tree	24f0f95c0c661f65112d97d7d77c3ccf709f1408 /net/bridge
parent	05907f10e235680cc7fb196810e4ad3215d5e648 (diff)
download	linux-e34b9ed96ce3b06c79bf884009b16961ca478f87.tar.xz

netfilter: nf_tables: avoid skb access on nf_stolen

When verdict is NF_STOLEN, the skb might have been freed. When tracing is enabled, this can result in a use-after-free: 1. access to skb->nf_trace 2. access to skb->mark 3. computation of trace id 4. dump of packet payload To avoid 1, keep a cached copy of skb->nf_trace in the trace state struct. Refresh this copy whenever verdict is != STOLEN. Avoid 2 by skipping skb->mark access if verdict is STOLEN. 3 is avoided by precomputing the trace id. Only dump the packet when verdict is not "STOLEN". Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Diffstat (limited to 'net/bridge')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: