From: Florian Westphal <fw@strlen.de>
Date: Sun, 8 Oct 2023 17:36:53 +0000 (+0200)
Subject: netfilter: nft_payload: fix wrong mac header matching
X-Git-Tag: v6.6.7~1708^2~31^2
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=d351c1ea2de3e36e608fc355d8ae7d0cc80e6cd6;p=platform%2Fkernel%2Flinux-starfive.git

netfilter: nft_payload: fix wrong mac header matching

mcast packets get looped back to the local machine.
Such packets have a 0-length mac header, we should treat
this like "mac header not set" and abort rule evaluation.

As-is, we just copy data from the network header instead.

Fixes: 96518518cc41 ("netfilter: add nftables")
Reported-by: Blažej Krajňák <krajnak@levonet.sk>
Signed-off-by: Florian Westphal <fw@strlen.de>
---

diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
index 120f6d3..0a689c8 100644
--- a/net/netfilter/nft_payload.c
+++ b/net/netfilter/nft_payload.c
@@ -179,7 +179,7 @@ void nft_payload_eval(const struct nft_expr *expr,
 
 	switch (priv->base) {
 	case NFT_PAYLOAD_LL_HEADER:
-		if (!skb_mac_header_was_set(skb))
+		if (!skb_mac_header_was_set(skb) || skb_mac_header_len(skb) == 0)
 			goto err;
 
 		if (skb_vlan_tag_present(skb) &&