netfilter: nf_flow_table: check ttl value in flow offload data path

[ Upstream commit 33cc3c0cfa64c86b6c4bbee86997aea638534931 ]

nf_flow_offload_ip_hook() and nf_flow_offload_ipv6_hook() do not check
ttl value. So, ttl value overflow may occur.

Fixes: 97add9f0d66d ("netfilter: flow table support for IPv4")
Fixes: 0995210753a2 ("netfilter: flow table support for IPv6")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
index 15ed913..129e9ec 100644 (file)
--- a/net/netfilter/nf_flow_table_ip.c
+++ b/net/netfilter/nf_flow_table_ip.c
@@ -181,6 +181,9 @@ static int nf_flow_tuple_ip(struct sk_buff *skb, const struct net_device *dev,
            iph->protocol != IPPROTO_UDP)
                return -1;
 
+       if (iph->ttl <= 1)
+               return -1;
+
        thoff = iph->ihl * 4;
        if (!pskb_may_pull(skb, thoff + sizeof(*ports)))
                return -1;
@@ -412,6 +415,9 @@ static int nf_flow_tuple_ipv6(struct sk_buff *skb, const struct net_device *dev,
            ip6h->nexthdr != IPPROTO_UDP)
                return -1;
 
+       if (ip6h->hop_limit <= 1)
+               return -1;
+
        thoff = sizeof(*ip6h);
        if (!pskb_may_pull(skb, thoff + sizeof(*ports)))
                return -1;