Commit 33cc3c0c authored by Taehee Yoo's avatar Taehee Yoo Committed by Pablo Neira Ayuso
Browse files

netfilter: nf_flow_table: check ttl value in flow offload data path 



nf_flow_offload_ip_hook() and nf_flow_offload_ipv6_hook() do not check
ttl value. So, ttl value overflow may occur.

Fixes: 97add9f0 ("netfilter: flow table support for IPv4")
Fixes: 09952107 ("netfilter: flow table support for IPv6")
Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 26a302af

net/netfilter/nf_flow_table_ip.c

+6 −0
Original line number Diff line number Diff line
@@ -181,6 +181,9 @@ static int nf_flow_tuple_ip(struct sk_buff *skb, const struct net_device *dev, 
	    iph->protocol != IPPROTO_UDP)

		return -1;



	if (iph->ttl <= 1)

		return -1;



	thoff = iph->ihl * 4;

	if (!pskb_may_pull(skb, thoff + sizeof(*ports)))

		return -1;
@@ -411,6 +414,9 @@ static int nf_flow_tuple_ipv6(struct sk_buff *skb, const struct net_device *dev, 
	    ip6h->nexthdr != IPPROTO_UDP)

		return -1;



	if (ip6h->hop_limit <= 1)

		return -1;



	thoff = sizeof(*ip6h);

	if (!pskb_may_pull(skb, thoff + sizeof(*ports)))

		return -1;

CRA Git | Maintained and supported by SUSTech CRA and CCSE