projects / platform / kernel / linux-rpi.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2db60bb)
netfilter: nft_payload: do not update layer 4 checksum when mangling fragments
authorPablo Neira Ayuso <pablo@netfilter.org>
Wed, 5 Jan 2022 15:09:57 +0000 (16:09 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 27 Jan 2022 10:03:51 +0000 (11:03 +0100)
[ Upstream commit 4e1860a3863707e8177329c006d10f9e37e097a8 ]

IP fragments do not come with the transport header, hence skip bogus
layer 4 checksum updates.

Fixes: 1814096980bb ("netfilter: nft_payload: layer 4 checksum adjustment for pseudoheader fields")
Reported-and-tested-by: Steffen Weinreich <steve@weinreich.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
net/netfilter/nft_payload.c patch | blob | history

diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
index a44b14f..132875c 100644 (file)
--- a/net/netfilter/nft_payload.c
+++ b/net/netfilter/nft_payload.c
@@ -502,6 +502,9 @@ static int nft_payload_l4csum_offset(const struct nft_pktinfo *pkt,
                                     struct sk_buff *skb,
                                     unsigned int *l4csum_offset)
 {
+       if (pkt->fragoff)
+               return -1;
+
        switch (pkt->tprot) {
        case IPPROTO_TCP:
                *l4csum_offset = offsetof(struct tcphdr, check);
Domain: System / Kernel;