As in commit c543cb4a5f07 ("ipv4: ensure rcu_read_lock() in ipv4_link_failure()")
and commit 3e72dfdf8227 ("ipv4: ensure rcu_read_lock() in cipso_v4_error()"),
__ip_options_compile() must be called under rcu protection.
Fixes: dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options")
Signed-off-by: Matteo Croce <mcroce@xxxxxxxxxx>
---
net/netfilter/nft_exthdr.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
index a5e8469859e3..752264b3043a 100644
--- a/net/netfilter/nft_exthdr.c
+++ b/net/netfilter/nft_exthdr.c
@@ -77,6 +77,7 @@ static int ipv4_find_option(struct net *net, struct sk_buff *skb,
bool found = false;
__be32 info;
int optlen;
+ int ret;
iph = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
if (!iph)
@@ -95,7 +96,11 @@ static int ipv4_find_option(struct net *net, struct sk_buff *skb,
return -EBADMSG;
opt->optlen = optlen;
- if (__ip_options_compile(net, opt, NULL, &info))
+ rcu_read_lock();
+ ret = __ip_options_compile(net, opt, NULL, &info);
+ rcu_read_unlock();
+
+ if (ret)
return -EBADMSG;
switch (target) {
--
2.24.1
