Skip to content
Snippets Groups Projects
Commit 7651fcca authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso Committed by Frieder Schrempf
Browse files

netfilter: nft_payload: sanitize offset and length before calling skb_checksum() 


[ Upstream commit d5953d68 ]

If access to offset + length is larger than the skbuff length, then
skb_checksum() triggers BUG_ON().

skb_checksum() internally subtracts the length parameter while iterating
over skbuff, BUG_ON(len) at the end of it checks that the expected
length to be included in the checksum calculation is fully consumed.

Fixes: 7ec3f7b4 ("netfilter: nft_payload: add packet mangling support")
Reported-by: default avatarSlavin Liu <slavin-ayu@qq.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent 9a401856
No related branches found
No related tags found
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment