59 lines
2.5 KiB
Diff
59 lines
2.5 KiB
Diff
From f13fa4268ca4f296019b22954e6153e50f87350f Mon Sep 17 00:00:00 2001
|
|
From: Florian Westphal <fwestpha@redhat.com>
|
|
Date: Wed, 20 May 2026 11:48:57 +0200
|
|
Subject: [PATCH] netfilter: nft_inner: Fix IPv6 inner_thoff desync
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
JIRA: https://redhat.atlassian.net/browse/RHEL-168848
|
|
Upstream Status: commit b6a91f68ebfe
|
|
|
|
commit b6a91f68ebfed9c38e0e9150f58a9b85da07181c
|
|
Author: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
|
|
Date: Tue May 12 01:30:41 2026 +0800
|
|
|
|
netfilter: nft_inner: Fix IPv6 inner_thoff desync
|
|
|
|
In nft_inner_parse_l2l3(), when processing inner IPv6 packets,
|
|
ipv6_find_hdr() correctly computes the transport header offset
|
|
traversing all extension headers, but the result is immediately
|
|
overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only
|
|
accounts for the IPv6 base header. This creates a desync between
|
|
inner_thoff (wrong — points to extension header start) and l4proto
|
|
(correct — e.g., IPPROTO_TCP), enabling transport header forgery
|
|
and potential firewall bypass. This issue affects stable versions
|
|
from Linux 6.2.
|
|
|
|
For comparison, the normal (non-inner) IPv6 path correctly
|
|
preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite
|
|
ensures that ipv6_find_hdr()'s calculated transport header offset is
|
|
preserved, thereby fixing the desynchronization.
|
|
|
|
Fixes: 3a07327d10a0 ("netfilter: nft_inner: support for inner tunnel header matching")
|
|
Cc: stable@vger.kernel.org
|
|
Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
|
|
Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>
|
|
Reported-by: Xuewei Feng <fengxw06@126.com>
|
|
Reported-by: Qi Li <qli01@tsinghua.edu.cn>
|
|
Reported-by: Ke Xu <xuke@tsinghua.edu.cn>
|
|
Assisted-by: GLM:5.1 Z.ai
|
|
Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
|
|
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
Signed-off-by: Florian Westphal <fwestpha@redhat.com>
|
|
|
|
diff --git a/net/netfilter/nft_inner.c b/net/netfilter/nft_inner.c
|
|
index c4569d4..1b3e7a9 100644
|
|
--- a/net/netfilter/nft_inner.c
|
|
+++ b/net/netfilter/nft_inner.c
|
|
@@ -163,7 +163,6 @@ static int nft_inner_parse_l2l3(const struct nft_inner *priv,
|
|
return -1;
|
|
|
|
if (fragoff == 0) {
|
|
- thoff = nhoff + sizeof(_ip6h);
|
|
ctx->flags |= NFT_PAYLOAD_CTX_INNER_TH;
|
|
ctx->inner_thoff = thoff;
|
|
ctx->l4proto = l4proto;
|