diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2024-08-26 12:45:22 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2024-08-26 13:05:28 +0200 |
| commit | 5fd0628918977a0afdc2e6bc562d8751b5d3b8c5 (patch) | |
| tree | ed486cc40c4482e16ebe28c8a9903aa1abd96956 /net/sched/cls_basic.c | |
| parent | 8af174ea863c72f25ce31cee3baad8a301c0cf0f (diff) | |
netfilter: nf_tables: restore IP sanity checks for netdev/egress
Subtract network offset to skb->len before performing IPv4 header sanity
checks, then adjust transport offset from offset from mac header.
Jorge Ortiz says:
When small UDP packets (< 4 bytes payload) are sent from eth0,
`meta l4proto udp` condition is not met because `NFT_PKTINFO_L4PROTO` is
not set. This happens because there is a comparison that checks if the
transport header offset exceeds the total length. This comparison does
not take into account the fact that the skb network offset might be
non-zero in egress mode (e.g., 14 bytes for Ethernet header).
Fixes: 0ae8e4cca787 ("netfilter: nf_tables: set transport offset from mac header for netdev/egress")
Reported-by: Jorge Ortiz <jorge.ortiz.escribano@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/sched/cls_basic.c')
0 files changed, 0 insertions, 0 deletions