Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 51fb4629 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso Committed by Harshit Mogalapalli
Browse files

netfilter: nft_payload: sanitize offset and length before calling skb_checksum() 



[ Upstream commit d5953d680f7e96208c29ce4139a0e38de87a57fe ]

If access to offset + length is larger than the skbuff length, then
skb_checksum() triggers BUG_ON().

skb_checksum() internally subtracts the length parameter while iterating
over skbuff, BUG_ON(len) at the end of it checks that the expected
length to be included in the checksum calculation is fully consumed.

Fixes: 7ec3f7b4 ("netfilter: nft_payload: add packet mangling support")
Reported-by: default avatarSlavin Liu <slavin-ayu@qq.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
(cherry picked from commit a661ed364ae6ae88c2fafa9ddc27df1af2a73701)
Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: default avatarHarshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
parent d2216921
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment