diff options
| author |   Pablo Neira Ayuso <pablo@netfilter.org> | 2017-12-30 22:41:46 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-01-08 18:11:04 +0100 |
| commit | a7f87b47e67e4341f6175cdb80e5c2eaadf30dcb (patch) | |
| tree | 47f8be7118f28a8d3f4920968c96d3cb596d7ef2 /net/ipv4/netfilter/iptable_security.c | |
| parent | netfilter: meta: secpath support (diff) | |
| download | linux-dev-a7f87b47e67e4341f6175cdb80e5c2eaadf30dcb.tar.xz linux-dev-a7f87b47e67e4341f6175cdb80e5c2eaadf30dcb.zip | |
netfilter: remove defensive check on malformed packets from raw sockets
Users cannot forge malformed IPv4/IPv6 headers via raw sockets that they
can inject into the stack. Specifically, not for IPv4 since 55888dfb6ba7
("AF_RAW: Augment raw_send_hdrinc to expand skb to fit iphdr->ihl
(v2)"). IPv6 raw sockets also ensure that packets have a well-formed
IPv6 header available in the skbuff.
At quick glance, br_netfilter also validates layer 3 headers and it
drops malformed both IPv4 and IPv6 packets.
Therefore, let's remove this defensive check all over the place.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/ipv4/netfilter/iptable_security.c')
| -rw-r--r-- | net/ipv4/netfilter/iptable_security.c | 6 |
1 files changed, 0 insertions, 6 deletions
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c index ff226596e4b5..e5379fe57b64 100644 --- a/net/ipv4/netfilter/iptable_security.c +++ b/net/ipv4/netfilter/iptable_security.c @@ -43,12 +43,6 @@ static unsigned int iptable_security_hook(void *priv, struct sk_buff *skb, const struct nf_hook_state *state) { - if (state->hook == NF_INET_LOCAL_OUT && - (skb->len < sizeof(struct iphdr) || - ip_hdrlen(skb) < sizeof(struct iphdr))) - /* Somebody is playing with raw sockets. */ - return NF_ACCEPT; - return ipt_do_table(skb, state, state->net->ipv4.iptable_security); } |