On Fri, Jan 28, 2022 at 12:38:21PM +0100, Florian Westphal wrote:
> From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
>
> commit 4e1860a3863707e8177329c006d10f9e37e097a8 upstream.
>
> IP fragments do not come with the transport header, hence skip bogus
> layer 4 checksum updates.
>
> Fixes: 1814096980bb ("netfilter: nft_payload: layer 4 checksum adjustment for pseudoheader fields")
> Reported-and-tested-by: Steffen Weinreich <steve@xxxxxxxxxxxxx>
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> ---
> This is already in the 5.y branches but 4.19 needs a minor
> tweak as ->fragoff member resides in xt sub-struct.
Thanks for taking care of this -stable submission.
> net/netfilter/nft_payload.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
> index b1a9f330a51f..fd87216bc0a9 100644
> --- a/net/netfilter/nft_payload.c
> +++ b/net/netfilter/nft_payload.c
> @@ -194,6 +194,9 @@ static int nft_payload_l4csum_offset(const struct nft_pktinfo *pkt,
> struct sk_buff *skb,
> unsigned int *l4csum_offset)
> {
> + if (pkt->xt.fragoff)
> + return -1;
> +
> switch (pkt->tprot) {
> case IPPROTO_TCP:
> *l4csum_offset = offsetof(struct tcphdr, check);
> --
> 2.34.1
>
