Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp4821952ybl; Wed, 22 Jan 2020 05:24:16 -0800 (PST) X-Google-Smtp-Source: APXvYqwi/2qScxE8qTKvSoNdN3EYVkVMV2dE4BxN3eP3lCSFaKVNISsx/acymZ0LaALZmNOoAz7y X-Received: by 2002:a05:6808:291:: with SMTP id z17mr6729355oic.94.1579699456644; Wed, 22 Jan 2020 05:24:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579699456; cv=none; d=google.com; s=arc-20160816; b=u7qwxluQd84DOJcuphQAxEVOqS3FiqMr93Jkyaz0vJ4RkicM91U8OL91TnGb1Sb2ES 1SP6eU8nRl8XfuUioPhLnYQns/oa3gYqz5JfDmNVk0mrNxDS4TvlgPP6Fo1o8DQC3J3p pnNo/7kxzMpl6RhH6/r5GtUEFLyYmdtLbedbM6XS9ynXWXvBzFr1hm2STJn4HDKCk3AP ReXMpYpCwmhUEnvMUeSu/JAvXjMfSWbwInsQJhUpSZ/iD6mXsfIl7sOMuajTCopOSx3e 3DKE89FZB+yDl1mOfOd6UdBTaBmJtTocNv70f7P336YEh/aPIz/8W2W/00qqJoKGSI7t /dLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=XK332iEEfW8bL7nrqVaob1E0nnJsDjC7oTHdcyaX5Vc=; b=kFICCCkin0D8jPWrkDi/tIchaiTfgB5woCGzwvr3u1hFFeF854qTfu7jqdXtjuh+zD a1+noexZPoSr/mz+/TW98TzPAiswgbwecaaTpMI79swYz5pUptpSkIjl6k4tRsZCNKgN lT52E4r812BjVPDESdSSAQk/vyBhkXZv8ww3qNWNEeHCKWlDgFJ7KgTcNCYlhCdTjplg pU95y2EYOwnW6P2zB9h+T4Pf6V3ltp72ERSg2U0M/oaXX08cwvy9neRJQ07wyswH7bfV +/3ogg5j0s5V6tXwcbMCJ45Q9Ng5NW8tIYpaJcEhOVqqlHmqJn2JR6PyJ6rtjNvej3vs 2EAA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=kNsVAo2h; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m7si20617483oih.7.2020.01.22.05.24.04; Wed, 22 Jan 2020 05:24:16 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=kNsVAo2h; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730684AbgAVNW6 (ORCPT + 99 others); Wed, 22 Jan 2020 08:22:58 -0500 Received: from mail.kernel.org ([198.145.29.99]:40884 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729684AbgAVNW5 (ORCPT ); Wed, 22 Jan 2020 08:22:57 -0500 Received: from localhost (unknown [84.241.205.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 316B2205F4; Wed, 22 Jan 2020 13:22:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1579699376; bh=R8KT5YGmVyoPusaE0r+tLHjj6hxgkWh7X1mbviexcg4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kNsVAo2hMbxVB3FT9DWmR7D1sfM+LU2Db6GVWo6Oas0A4e9gEgkGpWXIaL7DaADGg r+V9N+S9/AtsyAppz5TXS6n2sZ+toMU8hFxkekwxPUmgT33/v/EOxVqkrBD53FPfZc zpRtoFXPAWW87P5JQhiH6xfea4qrmC6YjIjXjT2E= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Shmulik Ladkani , Eyal Birger , Florian Westphal , Pablo Neira Ayuso Subject: [PATCH 5.4 126/222] netfilter: nat: fix ICMP header corruption on ICMP errors Date: Wed, 22 Jan 2020 10:28:32 +0100 Message-Id: <20200122092842.772441253@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200122092833.339495161@linuxfoundation.org> References: <20200122092833.339495161@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eyal Birger commit 61177e911dad660df86a4553eb01c95ece2f6a82 upstream. Commit 8303b7e8f018 ("netfilter: nat: fix spurious connection timeouts") made nf_nat_icmp_reply_translation() use icmp_manip_pkt() as the l4 manipulation function for the outer packet on ICMP errors. However, icmp_manip_pkt() assumes the packet has an 'id' field which is not correct for all types of ICMP messages. This is not correct for ICMP error packets, and leads to bogus bytes being written the ICMP header, which can be wrongfully regarded as 'length' bytes by RFC 4884 compliant receivers. Fix by assigning the 'id' field only for ICMP messages that have this semantic. Reported-by: Shmulik Ladkani Fixes: 8303b7e8f018 ("netfilter: nat: fix spurious connection timeouts") Signed-off-by: Eyal Birger Acked-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman --- net/netfilter/nf_nat_proto.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) --- a/net/netfilter/nf_nat_proto.c +++ b/net/netfilter/nf_nat_proto.c @@ -233,6 +233,19 @@ icmp_manip_pkt(struct sk_buff *skb, return false; hdr = (struct icmphdr *)(skb->data + hdroff); + switch (hdr->type) { + case ICMP_ECHO: + case ICMP_ECHOREPLY: + case ICMP_TIMESTAMP: + case ICMP_TIMESTAMPREPLY: + case ICMP_INFO_REQUEST: + case ICMP_INFO_REPLY: + case ICMP_ADDRESS: + case ICMP_ADDRESSREPLY: + break; + default: + return true; + } inet_proto_csum_replace2(&hdr->checksum, skb, hdr->un.echo.id, tuple->src.u.icmp.id, false); hdr->un.echo.id = tuple->src.u.icmp.id;