git.proxmox.com Git - mirror_ubuntu-focal-kernel.git/commit

netfilter: nf_tables_offload: incorrect flow offload action array size

immediate verdict expression needs to allocate one slot in the flow offload
action array, however, immediate data expression does not need to do so.

fwd and dup expression need to allocate one slot, this is missing.

Add a new offload_action interface to report if this expression needs to
allocate one slot in the flow offload action array.

Fixes: be2861dc36d7 ("netfilter: nft_{fwd,dup}_netdev: add offload support")
Reported-and-tested-by: Nick Gregory <Nick.Gregory@Sophos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(backported from commit b1a5983f56e371046dcf164f90bfaf704d2b89f6 net.git)
[cascardo: there is no offload_stats at struct nft_expr_ops]
CVE-2022-25636
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Andrea Righi <andrea.righi@canonical.com>

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Tue, 22 Feb 2022 17:49:15 +0000 (14:49 -0300)
committer	Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
	Wed, 2 Mar 2022 08:32:18 +0000 (05:32 -0300)
commit	81fb9f2317407a75112c3a33a43c8f11b31391ac
tree	bcf33d2c8834e53f7dfaca2711f832a9d2ca02b6	tree
parent	53c643ff4e78f16beb4ec57904013c1366a9fb49	commit \| diff

include/net/netfilter/nf_tables.h		diff \| blob \| blame \| history
include/net/netfilter/nf_tables_offload.h		diff \| blob \| blame \| history
net/netfilter/nf_tables_offload.c		diff \| blob \| blame \| history
net/netfilter/nft_dup_netdev.c		diff \| blob \| blame \| history
net/netfilter/nft_fwd_netdev.c		diff \| blob \| blame \| history
net/netfilter/nft_immediate.c		diff \| blob \| blame \| history