Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 82238C433FE for ; Mon, 27 Dec 2021 15:30:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237812AbhL0Pas (ORCPT ); Mon, 27 Dec 2021 10:30:48 -0500 Received: from dfw.source.kernel.org ([139.178.84.217]:59932 "EHLO dfw.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237594AbhL0P3X (ORCPT ); Mon, 27 Dec 2021 10:29:23 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 54C6361073; Mon, 27 Dec 2021 15:29:23 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 37146C36AEA; Mon, 27 Dec 2021 15:29:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1640618962; bh=p7lkAaeiex1Oo28vuehYLDXmy4up2+gjzEhOGI+KESo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mab3Kox7QMAlSQHpKEOOpV26lUv4lNe1Wf5+wHSfu1FQgL+q/nSsJUvxBbKDZciUU E6nOUg4bw/52CQOzY/hsh0eC1Iy2mNs3dye31FmGqhJ4Pzvyyech4EbwoN+SuSQzvp q4pJipy3xXnV6xzCmCtREruo0le3AscOWr/fvntg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, =?UTF-8?q?Ignacy=20Gaw=C4=99dzki?= , Florian Westphal , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 4.14 06/29] netfilter: fix regression in looped (broad|multi)casts MAC handling Date: Mon, 27 Dec 2021 16:27:16 +0100 Message-Id: <20211227151318.680438141@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20211227151318.475251079@linuxfoundation.org> References: <20211227151318.475251079@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Ignacy Gawędzki [ Upstream commit ebb966d3bdfed581ecccbb4a7432341baf7619b4 ] In commit 5648b5e1169f ("netfilter: nfnetlink_queue: fix OOB when mac header was cleared"), the test for non-empty MAC header introduced in commit 2c38de4c1f8da7 ("netfilter: fix looped (broad|multi)cast's MAC handling") has been replaced with a test for a set MAC header. This breaks the case when the MAC header has been reset (using skb_reset_mac_header), as is the case with looped-back multicast packets. As a result, the packets ending up in NFQUEUE get a bogus hwaddr interpreted from the first bytes of the IP header. This patch adds a test for a non-empty MAC header in addition to the test for a set MAC header. The same two tests are also implemented in nfnetlink_log.c, where the initial code of commit 2c38de4c1f8da7 ("netfilter: fix looped (broad|multi)cast's MAC handling") has not been touched, but where supposedly the same situation may happen. Fixes: 5648b5e1169f ("netfilter: nfnetlink_queue: fix OOB when mac header was cleared") Signed-off-by: Ignacy Gawędzki Reviewed-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/netfilter/nfnetlink_log.c | 3 ++- net/netfilter/nfnetlink_queue.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c index cad6498f10b03..0ccc7c851a788 100644 --- a/net/netfilter/nfnetlink_log.c +++ b/net/netfilter/nfnetlink_log.c @@ -510,7 +510,8 @@ __build_packet_message(struct nfnl_log_net *log, goto nla_put_failure; if (indev && skb->dev && - skb->mac_header != skb->network_header) { + skb_mac_header_was_set(skb) && + skb_mac_header_len(skb) != 0) { struct nfulnl_msg_packet_hw phw; int len; diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index 13e67eb75d841..26f563bbb58de 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -543,7 +543,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, goto nla_put_failure; if (indev && entskb->dev && - skb_mac_header_was_set(entskb)) { + skb_mac_header_was_set(entskb) && + skb_mac_header_len(entskb) != 0) { struct nfqnl_msg_packet_hw phw; int len; -- 2.34.1