diff mbox series

[net,1/4] netfilter: ctnetlink: use helper function to calculate expect ID

Message ID 20240717215214.225394-2-pablo@netfilter.org (mailing list archive)
State Accepted
Commit 782161895eb4ac45cf7cfa8db375bd4766cb8299
Delegated to: Netdev Maintainers
Headers show
Series [net,1/4] netfilter: ctnetlink: use helper function to calculate expect ID | expand

Checks

Context Check Description
netdev/series_format success Pull request is its own cover letter
netdev/tree_selection success Clearly marked for net
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 661 this patch: 661
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers warning 2 maintainers not CCed: coreteam@netfilter.org kadlec@netfilter.org
netdev/build_clang success Errors and warnings before: 662 this patch: 662
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 663 this patch: 663
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 9 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest fail net-next-2024-07-18--00-00 (tests: 699)

Commit Message

Pablo Neira Ayuso July 17, 2024, 9:52 p.m. UTC 
Delete expectation path is missing a call to the nf_expect_get_id()
helper function to calculate the expectation ID, otherwise LSB of the
expectation object address is leaked to userspace.

Fixes: 3c79107631db ("netfilter: ctnetlink: don't use conntrack/expect object addresses as id")
Reported-by: zdi-disclosures@trendmicro.com
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_conntrack_netlink.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

patchwork-bot+netdevbpf@kernel.org July 18, 2024, 11:40 a.m. UTC | #1 
Hello:

This series was applied to netdev/net.git (main)
by Pablo Neira Ayuso <pablo@netfilter.org>:

On Wed, 17 Jul 2024 23:52:11 +0200 you wrote:
> Delete expectation path is missing a call to the nf_expect_get_id()
> helper function to calculate the expectation ID, otherwise LSB of the
> expectation object address is leaked to userspace.
> 
> Fixes: 3c79107631db ("netfilter: ctnetlink: don't use conntrack/expect object addresses as id")
> Reported-by: zdi-disclosures@trendmicro.com
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> 
> [...]

Here is the summary with links:
  - [net,1/4] netfilter: ctnetlink: use helper function to calculate expect ID
    https://git.kernel.org/netdev/net/c/782161895eb4
  - [net,2/4] netfilter: nf_set_pipapo: fix initial map fill
    https://git.kernel.org/netdev/net/c/791a615b7ad2
  - [net,3/4] selftests: netfilter: add test case for recent mismatch bug
    https://git.kernel.org/netdev/net/c/0935ee6032df
  - [net,4/4] ipvs: properly dereference pe in ip_vs_add_service
    https://git.kernel.org/netdev/net/c/cbd070a4ae62

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 3b846cbdc050..4cbf71d0786b 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -3420,7 +3420,8 @@  static int ctnetlink_del_expect(struct sk_buff *skb,
 
 		if (cda[CTA_EXPECT_ID]) {
 			__be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
-			if (ntohl(id) != (u32)(unsigned long)exp) {
+
+			if (id != nf_expect_get_id(exp)) {
 				nf_ct_expect_put(exp);
 				return -ENOENT;
 			}