Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b078556a authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso
Browse files

netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt 



l4proto->manip_pkt() can cause reallocation of skb head so pointer
to the ipv6 header must be reloaded.

Reported-and-tested-by: default avatar <syzbot+10005f4292fc9cc89de7@syzkaller.appspotmail.com>
Fixes: 58a317f1 ("netfilter: ipv6: add IPv6 NAT support")
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 1a9da593

net/ipv6/netfilter/nf_nat_l3proto_ipv6.c

+4 −0
Original line number Original line Diff line number Diff line
@@ -99,6 +99,10 @@ static bool nf_nat_ipv6_manip_pkt(struct sk_buff *skb, 
	    !l4proto->manip_pkt(skb, &nf_nat_l3proto_ipv6, iphdroff, hdroff,

	    !l4proto->manip_pkt(skb, &nf_nat_l3proto_ipv6, iphdroff, hdroff,

				target, maniptype))

				target, maniptype))

		return false;

		return false;



	/* must reload, offset might have changed */

	ipv6h = (void *)skb->data + iphdroff;



manip_addr:

manip_addr:

	if (maniptype == NF_NAT_MANIP_SRC)

	if (maniptype == NF_NAT_MANIP_SRC)

		ipv6h->saddr = target->src.u3.in6;

		ipv6h->saddr = target->src.u3.in6;