Patch "netfilter: nf_tables: fix 'exist' matching on bigendian arches" has been added to the 6.6-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    netfilter: nf_tables: fix 'exist' matching on bigendian arches

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-nf_tables-fix-exist-matching-on-bigendian-.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit d1c8db618dcdd734dc8323997fd667801571201c
Author: Florian Westphal <fw@xxxxxxxxx>
Date:   Mon Dec 4 12:29:54 2023 +0100

    netfilter: nf_tables: fix 'exist' matching on bigendian arches
    
    [ Upstream commit 63331e37fb227e796894b31d713697612c8dee7f ]
    
    Maze reports "tcp option fastopen exists" fails to match on
    OpenWrt 22.03.5, r20134-5f15225c1e (5.10.176) router.
    
    "tcp option fastopen exists" translates to:
    inet
      [ exthdr load tcpopt 1b @ 34 + 0 present => reg 1 ]
      [ cmp eq reg 1 0x00000001 ]
    
    .. but existing nft userspace generates a 1-byte compare.
    
    On LSB (x86), "*reg32 = 1" is identical to nft_reg_store8(reg32, 1), but
    not on MSB, which will place the 1 last. IOW, on bigendian aches the cmp8
    is awalys false.
    
    Make sure we store this in a consistent fashion, so existing userspace
    will also work on MSB (bigendian).
    
    Regardless of this patch we can also change nft userspace to generate
    'reg32 == 0' and 'reg32 != 0' instead of u8 == 0 // u8 == 1 when
    adding 'option x missing/exists' expressions as well.
    
    Fixes: 3c1fece8819e ("netfilter: nft_exthdr: Allow checking TCP option presence, too")
    Fixes: b9f9a485fb0e ("netfilter: nft_exthdr: add boolean DCCP option matching")
    Fixes: 055c4b34b94f ("netfilter: nft_fib: Support existence check")
    Reported-by: Maciej Żenczykowski <zenczykowski@xxxxxxxxx>
    Closes: https://lore.kernel.org/netfilter-devel/CAHo-OozyEqHUjL2-ntATzeZOiuftLWZ_HU6TOM_js4qLfDEAJg@xxxxxxxxxxxxxx/
    Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
    Acked-by: Phil Sutter <phil@xxxxxx>
    Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
index 3fbaa7bf41f9c..6eb571d0c3fdf 100644
--- a/net/netfilter/nft_exthdr.c
+++ b/net/netfilter/nft_exthdr.c
@@ -214,7 +214,7 @@ static void nft_exthdr_tcp_eval(const struct nft_expr *expr,
 
 		offset = i + priv->offset;
 		if (priv->flags & NFT_EXTHDR_F_PRESENT) {
-			*dest = 1;
+			nft_reg_store8(dest, 1);
 		} else {
 			if (priv->len % NFT_REG32_SIZE)
 				dest[priv->len / NFT_REG32_SIZE] = 0;
@@ -461,7 +461,7 @@ static void nft_exthdr_dccp_eval(const struct nft_expr *expr,
 		type = bufp[0];
 
 		if (type == priv->type) {
-			*dest = 1;
+			nft_reg_store8(dest, 1);
 			return;
 		}
 
diff --git a/net/netfilter/nft_fib.c b/net/netfilter/nft_fib.c
index 04b51f2853321..ca905aa8227e5 100644
--- a/net/netfilter/nft_fib.c
+++ b/net/netfilter/nft_fib.c
@@ -145,11 +145,15 @@ void nft_fib_store_result(void *reg, const struct nft_fib *priv,
 	switch (priv->result) {
 	case NFT_FIB_RESULT_OIF:
 		index = dev ? dev->ifindex : 0;
-		*dreg = (priv->flags & NFTA_FIB_F_PRESENT) ? !!index : index;
+		if (priv->flags & NFTA_FIB_F_PRESENT)
+			nft_reg_store8(dreg, !!index);
+		else
+			*dreg = index;
+
 		break;
 	case NFT_FIB_RESULT_OIFNAME:
 		if (priv->flags & NFTA_FIB_F_PRESENT)
-			*dreg = !!dev;
+			nft_reg_store8(dreg, !!dev);
 		else
 			strscpy_pad(reg, dev ? dev->name : "", IFNAMSIZ);
 		break;




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux