Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a7f87b47 authored Dec 30, 2017 by Pablo Neira Ayuso

netfilter: remove defensive check on malformed packets from raw sockets



Users cannot forge malformed IPv4/IPv6 headers via raw sockets that they
can inject into the stack. Specifically, not for IPv4 since 55888dfb
("AF_RAW: Augment raw_send_hdrinc to expand skb to fit iphdr->ihl
(v2)"). IPv6 raw sockets also ensure that packets have a well-formed
IPv6 header available in the skbuff.

At quick glance, br_netfilter also validates layer 3 headers and it
drops malformed both IPv4 and IPv6 packets.

Therefore, let's remove this defensive check all over the place.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent f6931f5f

net/ipv4/netfilter/iptable_filter.c

+0 −6

Original line number	Diff line number	Diff line
		@@ -38,12 +38,6 @@ static unsigned int
		iptable_filter_hook(void priv, struct sk_buff skb,
		const struct nf_hook_state *state)
		{
		if (state->hook == NF_INET_LOCAL_OUT &&
		(skb->len < sizeof(struct iphdr) \|\|
		ip_hdrlen(skb) < sizeof(struct iphdr)))
		/* root is playing with raw sockets. */
		return NF_ACCEPT;

		return ipt_do_table(skb, state, state->net->ipv4.iptable_filter);
		}

net/ipv4/netfilter/iptable_mangle.c

+0 −5

Original line number	Diff line number	Diff line
		@@ -49,11 +49,6 @@ ipt_mangle_out(struct sk_buff skb, const struct nf_hook_state state)
		u_int32_t mark;
		int err;

		/* root is playing with raw sockets. */
		if (skb->len < sizeof(struct iphdr) \|\|
		ip_hdrlen(skb) < sizeof(struct iphdr))
		return NF_ACCEPT;

		/* Save things which could affect route */
		mark = skb->mark;
		iph = ip_hdr(skb);

net/ipv4/netfilter/iptable_raw.c

+0 −6

Original line number	Diff line number	Diff line
		@@ -26,12 +26,6 @@ static unsigned int
		iptable_raw_hook(void priv, struct sk_buff skb,
		const struct nf_hook_state *state)
		{
		if (state->hook == NF_INET_LOCAL_OUT &&
		(skb->len < sizeof(struct iphdr) \|\|
		ip_hdrlen(skb) < sizeof(struct iphdr)))
		/* root is playing with raw sockets. */
		return NF_ACCEPT;

		return ipt_do_table(skb, state, state->net->ipv4.iptable_raw);
		}

net/ipv4/netfilter/iptable_security.c

+0 −6

Original line number	Diff line number	Diff line
		@@ -43,12 +43,6 @@ static unsigned int
		iptable_security_hook(void priv, struct sk_buff skb,
		const struct nf_hook_state *state)
		{
		if (state->hook == NF_INET_LOCAL_OUT &&
		(skb->len < sizeof(struct iphdr) \|\|
		ip_hdrlen(skb) < sizeof(struct iphdr)))
		/* Somebody is playing with raw sockets. */
		return NF_ACCEPT;

		return ipt_do_table(skb, state, state->net->ipv4.iptable_security);
		}

net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c

+0 −5

Original line number	Diff line number	Diff line
		@@ -154,11 +154,6 @@ static unsigned int ipv4_conntrack_local(void *priv,
		struct sk_buff *skb,
		const struct nf_hook_state *state)
		{
		/* root is playing with raw sockets. */
		if (skb->len < sizeof(struct iphdr) \|\|
		ip_hdrlen(skb) < sizeof(struct iphdr))
		return NF_ACCEPT;

		if (ip_is_fragment(ip_hdr(skb))) /* IP_NODEFRAG setsockopt set */
		return NF_ACCEPT;