Patch "netfilter: flowtable: fix NAT IPv6 offload mangling" has been added to the 5.11-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Sun, 18 Apr 2021 14:39:32 +0200

This is a note to let you know that I've just added the patch titled

    netfilter: flowtable: fix NAT IPv6 offload mangling

to the 5.11-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-flowtable-fix-nat-ipv6-offload-mangling.patch
and it can be found in the queue-5.11 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 0e07e25b481aa021e4b48085ecb8a049e9614510 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Date: Tue, 30 Mar 2021 16:24:11 +0200
Subject: netfilter: flowtable: fix NAT IPv6 offload mangling

From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>

commit 0e07e25b481aa021e4b48085ecb8a049e9614510 upstream.

Fix out-of-bound access in the address array.

Fixes: 5c27d8d76ce8 ("netfilter: nf_flow_table_offload: add IPv6 support")
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 net/netfilter/nf_flow_table_offload.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/net/netfilter/nf_flow_table_offload.c
+++ b/net/netfilter/nf_flow_table_offload.c
@@ -305,12 +305,12 @@ static void flow_offload_ipv6_mangle(str
 				     const __be32 *addr, const __be32 *mask)
 {
 	struct flow_action_entry *entry;
-	int i;
+	int i, j;
 
-	for (i = 0; i < sizeof(struct in6_addr) / sizeof(u32); i += sizeof(u32)) {
+	for (i = 0, j = 0; i < sizeof(struct in6_addr) / sizeof(u32); i += sizeof(u32), j++) {
 		entry = flow_action_entry_next(flow_rule);
 		flow_offload_mangle(entry, FLOW_ACT_MANGLE_HDR_TYPE_IP6,
-				    offset + i, &addr[i], mask);
+				    offset + i, &addr[j], mask);
 	}
 }
 


Patches currently in stable-queue which might be from pablo@xxxxxxxxxxxxx are

queue-5.11/netfilter-flowtable-fix-nat-ipv6-offload-mangling.patch
queue-5.11/netfilter-nftables-clone-set-element-expression-template.patch
queue-5.11/netfilter-bridge-add-pre_exit-hooks-for-ebtable-unregistration.patch
queue-5.11/netfilter-arp_tables-add-pre_exit-hook-for-table-unregister.patch
queue-5.11/netfilter-nft_limit-avoid-possible-divide-error-in-nft_limit_init.patch
queue-5.11/netfilter-conntrack-do-not-print-icmpv6-as-unknown-via-proc.patch
queue-5.11/net-mlx5e-fix-ingress_ifindex-check-in-mlx5e_flower_parse_meta.patch






