This is a note to let you know that I've just added the patch titled
netfilter: nft_exthdr: Fix for unsafe packet data read
to the 5.10-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
netfilter-nft_exthdr-fix-for-unsafe-packet-data-read.patch
and it can be found in the queue-5.10 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit f51e61672dd183021c0c8b64a2d160524fe71823
Author: Phil Sutter <phil@xxxxxx>
Date: Tue Jun 8 11:40:57 2021 +0200
netfilter: nft_exthdr: Fix for unsafe packet data read
[ Upstream commit cf6b5ffdce5a78b2fcb0e53b3a2487c490bcbf7f ]
While iterating through an SCTP packet's chunks, skb_header_pointer() is
called for the minimum expected chunk header size. If (that part of) the
skbuff is non-linear, the following memcpy() may read data past
temporary buffer '_sch'. Use skb_copy_bits() instead which does the
right thing in this situation.
Fixes: 133dc203d77df ("netfilter: nft_exthdr: Support SCTP chunks")
Suggested-by: Florian Westphal <fw@xxxxxxxxx>
Signed-off-by: Phil Sutter <phil@xxxxxx>
Reviewed-by: Florian Westphal <fw@xxxxxxxxx>
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
index 274c5f0085186..eb183c024ac46 100644
--- a/net/netfilter/nft_exthdr.c
+++ b/net/netfilter/nft_exthdr.c
@@ -389,7 +389,9 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr,
break;
dest[priv->len / NFT_REG32_SIZE] = 0;
- memcpy(dest, (char *)sch + priv->offset, priv->len);
+ if (skb_copy_bits(pkt->skb, offset + priv->offset,
+ dest, priv->len) < 0)
+ break;
return;
}
offset += SCTP_PAD4(ntohs(sch->length));
