On Tue, Jul 26, 2022 at 12:42:06PM +0200, Florian Westphal wrote:
> Domingo Dirutigliano and Nicola Guerrera report kernel panic when
> sending nf_queue verdict with 1-byte nfta_payload attribute.
>
> The IP/IPv6 stack pulls the IP(v6) header from the packet after the
> input hook.
>
> If user truncates the packet below the header size, this skb_pull() will
> result in a malformed skb (skb->len < 0).
>
> Fixes: 7af4cc3fa158 ("[NETFILTER]: Add "nfnetlink_queue" netfilter queue handler over nfnetlink")
> Reported-by: Domingo Dirutigliano <pwnzer0tt1@xxxxxxxxx>
Reviewed-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
