netfilter pull request nf-26-03-19

-----BEGIN PGP SIGNATURE----- iQJdBAABCABHFiEEgKkgxbID4Gn1hq6fcJGo2a1f9gAFAmm7wZsbFIAAAAAABAAO bWFudTIsMi41KzEuMTEsMiwyDRxmd0BzdHJsZW4uZGUACgkQcJGo2a1f9gDnHw// a/jfOMhAMkidjM7F25r13bJTmFMf5WOZhpLPVnrehnGEaWtuoMEIoOy+KblAvIQ6 iGHRdF9p2DRb096CTVk6RkUYf8g6OkYyClAtNlKUHm0zl8r2g0PmAjblwK5bp62X rpOMoOj2BfTf/PdVJQtqwWdnQJ7BvxrDU+YxHDOpK9zQbkfXBYywFV8QlfNFN9Gz cC2bQw3ceiaP0hnMFu2qEPkJlhx53NpOi3qdSVzH7W01TfVtKZaye/4gF1HlXEZq wveXOnF/BjnI17FlC3dQ3rYBuSonSQkdMRU2bK9YTryNVVfijPNDYgqmQPSwJmnb Q6uF9Oo0QcYD3Polac5QvNJiXYw5uXKCpVvJ8zvZN3OR4n44UyKVwTaHWoU0/wLd gJjt77FqfH89aSoKa5dWtRHosW3tU9KPek7Lb0xRfuUMHXrGaY6EdjXXq+xCbk+w XuqOHxoeSu6s2eQ2UluAQVQCRYtb0WBRDn/m6N70a/cbJOSmCVGHc6IggGGmOXex IxuGF2qLYnzs7ExKQvdH8iDVo52lrSvFT9XuyDBVxKhEQ1f+Hg6advz+MU/Q27J1 bzV71UkBo4YJvXvBculQRnZe9McVeEN56maXM9Uo0TMsa6mHTZ62n57lnssDq0qI 2zeKD0z282ZBInDEx1tLat9evMiQ5iAX1u0M49mFn+A= =TaQ+ -----END PGP SIGNATURE----- Merge tag 'nf-26-03-19' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Florian Westphal says: ==================== netfilter: updates for net The following patchset contains Netfilter fixes for *net*: 1) Fix UaF when netfilter bpf link goes away while nfnetlink dumps current hook list, we have to wait until rcu readers are gone. 2) Fix UaF when flowtable fails to register all devices, similar bug as 1). From Pablo Neira Ayuso. 3) nfnetlink_osf fails to properly validate option length fields. From Weiming Shi. netfilter pull request nf-26-03-19 * tag 'nf-26-03-19' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: nfnetlink_osf: validate individual option lengths in fingerprints netfilter: nf_tables: release flowtable after rcu grace period on error netfilter: bpf: defer hook memory release until rcu readers are done ==================== Link: https://patch.msgid.link/20260319093834.19933-1-fw@strlen.de Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-05-30 01:53:29 +02:00 · 2026-03-19 15:39:33 +01:00 · 2026-03-19 15:39:33 +01:00 · e7577a06ae
commit e7577a06ae
parent d75ec7e8ba dbdfaae960
3 changed files with 15 additions and 1 deletions
--- a/net/netfilter/nf_bpf_link.c
+++ b/net/netfilter/nf_bpf_link.c
@ -170,7 +170,7 @@ static int bpf_nf_link_update(struct bpf_link *link, struct bpf_prog *new_prog,

 static const struct bpf_link_ops bpf_nf_link_lops = {
 	.release = bpf_nf_link_release,
-	.dealloc = bpf_nf_link_dealloc,
+	.dealloc_deferred = bpf_nf_link_dealloc,
 	.detach = bpf_nf_link_detach,
 	.show_fdinfo = bpf_nf_link_show_info,
 	.fill_link_info = bpf_nf_link_fill_link_info,
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@ -9203,6 +9203,7 @@ static int nf_tables_newflowtable(struct sk_buff *skb,
 	return 0;

 err_flowtable_hooks:
+	synchronize_rcu();
 	nft_trans_destroy(trans);
 err_flowtable_trans:
 	nft_hooks_destroy(&flowtable->hook_list);
--- a/net/netfilter/nfnetlink_osf.c
+++ b/net/netfilter/nfnetlink_osf.c
@ -302,7 +302,9 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
 {
 	struct nf_osf_user_finger *f;
 	struct nf_osf_finger *kf = NULL, *sf;
+	unsigned int tot_opt_len = 0;
 	int err = 0;
+	int i;

 	if (!capable(CAP_NET_ADMIN))
 		return -EPERM;
@ -318,6 +320,17 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
 	if (f->opt_num > ARRAY_SIZE(f->opt))
 		return -EINVAL;

+	for (i = 0; i < f->opt_num; i++) {
+		if (!f->opt[i].length || f->opt[i].length > MAX_IPOPTLEN)
+			return -EINVAL;
+		if (f->opt[i].kind == OSFOPT_MSS && f->opt[i].length < 4)
+			return -EINVAL;
+
+		tot_opt_len += f->opt[i].length;
+		if (tot_opt_len > MAX_IPOPTLEN)
+			return -EINVAL;
+	}
+
 	if (!memchr(f->genre, 0, MAXGENRELEN) ||
 	    !memchr(f->subtype, 0, MAXGENRELEN) ||
 	    !memchr(f->version, 0, MAXGENRELEN))