netfilter: nft_payload: don't allow th access for fragments - linux-dev - Linux kernel development work

diff options

author	Florian Westphal <fw@strlen.de>	2022-01-29 17:13:23 +0100
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2022-02-04 05:38:15 +0100
commit	a9e8503def0fd4ed89ade1f61c315f904581d439 (patch)
tree	7e7678e27bded2e65072d96af8f9a227f5cca3ab /include/uapi/linux/can/git:/ssh:
parent	netfilter: conntrack: don't refresh sctp entries in closed state (diff)

netfilter: nft_payload: don't allow th access for fragments

Loads relative to ->thoff naturally expect that this points to the transport header, but this is only true if pkt->fragoff == 0. This has little effect for rulesets with connection tracking/nat because these enable ip defra. For other rulesets this prevents false matches. Fixes: 96518518cc41 ("netfilter: add nftables") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Diffstat (limited to 'include/uapi/linux/can/git:/ssh:')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: