github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-12 16:18:45 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
b935117fe6
linux/net/netfilter
History
Fernando Fernandez Mancera 711987ba28 netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check 
The nf_osf_ttl() function accessed skb->dev to perform a local interface
address lookup without verifying that the device pointer was valid.

Additionally, the implementation utilized an in_dev_for_each_ifa_rcu
loop to match the packet source address against local interface
addresses. It assumed that packets from the same subnet should not see a
decrement on the initial TTL. A packet might appear it is from the same
subnet but it actually isn't especially in modern environments with
containers and virtual switching.

Remove the device dereference and interface loop. Replace the logic with
a switch statement that evaluates the TTL according to the ttl_check.

Fixes: 11eeef41d5 ("netfilter: passive OS fingerprint xtables match")
Reported-by: Kito Xu (veritas501) <hxzene@gmail.com>
Closes: https://lore.kernel.org/netfilter-devel/20260414074556.2512750-1-hxzene@gmail.com/
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2026-04-20 23:45:44 +02:00
..
ipset netfilter: require Ethernet MAC header before using eth_hdr() 2026-04-10 12:16:27 +02:00
ipvs ipvs: fix MTU check for GSO packets in tunnel mode 2026-04-20 23:45:43 +02:00
core.c netfilter: remove nf_ipv6_ops and use direct function calls 2026-03-29 11:21:24 -07:00
Kconfig netfilter: conntrack: remove UDP-Lite conntrack support 2026-04-10 12:16:26 +02:00
Makefile netfilter: flowtable: move path discovery infrastructure to its own file 2025-11-27 23:59:43 +00:00
nf_bpf_link.c netfilter: bpf: defer hook memory release until rcu readers are done 2026-03-19 10:26:31 +01:00
nf_conncount.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
nf_conntrack_acct.c
nf_conntrack_amanda.c netfilter: use function typedefs for __rcu NAT helper hook pointers 2026-04-08 07:51:26 +02:00
nf_conntrack_bpf.c Networking changes for 7.0 2026-02-11 19:31:52 -08:00
nf_conntrack_broadcast.c netfilter: nf_conntrack_expect: store netns and zone in expectation 2026-03-26 13:24:40 +01:00
nf_conntrack_core.c netfilter: conntrack: remove UDP-Lite conntrack support 2026-04-10 12:16:26 +02:00
nf_conntrack_ecache.c netfilter: ctnetlink: ensure safe access to master conntrack 2026-03-26 13:18:32 +01:00
nf_conntrack_expect.c netfilter: nf_conntrack_expect: skip expectations in other netns via proc 2026-03-26 13:28:03 +01:00
nf_conntrack_extend.c netfilter: conntrack: fix extension size table 2023-09-13 21:57:50 +02:00
nf_conntrack_ftp.c netfilter: use function typedefs for __rcu NAT helper hook pointers 2026-04-08 07:51:26 +02:00
nf_conntrack_h323_asn1.c netfilter: nf_conntrack_h323: Correct indentation when H323_TRACE defined 2026-04-08 07:51:31 +02:00
nf_conntrack_h323_main.c netfilter: nf_conntrack_expect: honor expectation helper field 2026-03-26 13:18:31 +01:00
nf_conntrack_h323_types.c
nf_conntrack_helper.c netfilter: nf_conntrack_helper: pass helper to expect cleanup 2026-04-01 11:55:29 +02:00
nf_conntrack_irc.c netfilter: use function typedefs for __rcu NAT helper hook pointers 2026-04-08 07:51:26 +02:00
nf_conntrack_labels.c netfilter: conntrack: switch connlabels to atomic_t 2023-10-24 13:16:30 +02:00
nf_conntrack_netbios_ns.c
nf_conntrack_netlink.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2026-04-02 11:03:13 -07:00
nf_conntrack_ovs.c net/ipv6: Introduce payload_len helpers 2026-02-06 20:50:03 -08:00
nf_conntrack_pptp.c
nf_conntrack_proto_generic.c netfilter: nf_conntrack: Add allow_clash to generic protocol handler 2026-01-20 16:23:37 +01:00
nf_conntrack_proto_gre.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
nf_conntrack_proto_icmp.c netfilter: nf_conntrack: enable icmp clash support 2026-01-20 16:23:37 +01:00
nf_conntrack_proto_icmpv6.c netfilter: nf_conntrack: enable icmp clash support 2026-01-20 16:23:37 +01:00
nf_conntrack_proto_sctp.c netfilter: conntrack: add missing netlink policy validations 2026-03-13 15:31:14 +01:00
nf_conntrack_proto_tcp.c netfilter: ctnetlink: use netlink policy range checks 2026-03-26 13:28:17 +01:00
nf_conntrack_proto_udp.c netfilter: conntrack: remove UDP-Lite conntrack support 2026-04-10 12:16:26 +02:00
nf_conntrack_proto.c netfilter: conntrack: remove UDP-Lite conntrack support 2026-04-10 12:16:26 +02:00
nf_conntrack_sane.c
nf_conntrack_seqadj.c
nf_conntrack_sip.c netfilter: nf_conntrack_sip: remove net variable shadowing 2026-04-08 07:51:27 +02:00
nf_conntrack_snmp.c netfilter: use function typedefs for __rcu NAT helper hook pointers 2026-04-08 07:51:26 +02:00
nf_conntrack_standalone.c netfilter: conntrack: remove UDP-Lite conntrack support 2026-04-10 12:16:26 +02:00
nf_conntrack_tftp.c netfilter: use function typedefs for __rcu NAT helper hook pointers 2026-04-08 07:51:26 +02:00
nf_conntrack_timeout.c
nf_conntrack_timestamp.c
nf_dup_netdev.c netfilter: nf_tables_offload: add nft_flow_action_entry_next() and use it 2026-04-08 07:51:31 +02:00
nf_flow_table_bpf.c bpf: Remove redundant KF_TRUSTED_ARGS flag from all kfuncs 2026-01-02 12:04:28 -08:00
nf_flow_table_core.c netfilter: flowtable: dedicated slab for flow entry 2026-02-06 13:34:55 +01:00
nf_flow_table_inet.c net: netfilter: move nf flowtable bpf initialization in nf_flow_table_module_init() 2024-09-12 15:41:03 +02:00
nf_flow_table_ip.c netfilter: nf_flow_table_ip: reset mac header before vlan push 2026-03-13 15:31:15 +01:00
nf_flow_table_offload.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2026-04-02 11:03:13 -07:00
nf_flow_table_path.c netfilter: nf_conntrack: don't rely on implicit includes 2026-01-20 16:23:37 +01:00
nf_flow_table_procfs.c
nf_flow_table_xdp.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
nf_hooks_lwtunnel.c sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
nf_internals.h netfilter: move the sysctl nf_hooks_lwtunnel into the netfilter core 2024-06-19 18:41:59 +02:00
nf_log_syslog.c netfilter: require Ethernet MAC header before using eth_hdr() 2026-04-10 12:16:27 +02:00
nf_log.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
nf_nat_amanda.c netfilter: conntrack: remove sprintf usage 2026-04-20 23:27:46 +02:00
nf_nat_bpf.c bpf: Remove redundant KF_TRUSTED_ARGS flag from all kfuncs 2026-01-02 12:04:28 -08:00
nf_nat_core.c netfilter: nat: use kfree_rcu to release ops 2026-04-20 23:45:41 +02:00
nf_nat_ftp.c
nf_nat_helper.c
nf_nat_irc.c
nf_nat_masquerade.c netfilter: remove nf_ipv6_ops and use direct function calls 2026-03-29 11:21:24 -07:00
nf_nat_ovs.c netfilter: nf_conntrack: don't rely on implicit includes 2026-01-20 16:23:37 +01:00
nf_nat_proto.c netfilter: conntrack: remove UDP-Lite conntrack support 2026-04-10 12:16:26 +02:00
nf_nat_redirect.c netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses 2023-11-08 16:40:30 +01:00
nf_nat_sip.c netfilter: conntrack: remove sprintf usage 2026-04-20 23:27:46 +02:00
nf_nat_tftp.c
nf_queue.c net: Add SPDX ids to some source files 2026-03-09 18:32:45 -07:00
nf_sockopt.c
nf_synproxy_core.c netfilter: don't include xt and nftables.h in unrelated subsystems 2026-01-20 16:23:37 +01:00
nf_tables_api.c netfilter: add more netlink-based policy range checks 2026-04-08 07:51:30 +02:00
nf_tables_core.c netfilter: nft_meta: add double-tagged vlan and pppoe support 2026-04-08 07:51:31 +02:00
nf_tables_offload.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
nf_tables_trace.c netfilter: nf_tables: hide clash bit from userspace 2025-07-14 15:22:35 +02:00
nfnetlink_acct.c netfilter: add more netlink-based policy range checks 2026-04-08 07:51:30 +02:00
nfnetlink_cthelper.c netfilter: add more netlink-based policy range checks 2026-04-08 07:51:30 +02:00
nfnetlink_cttimeout.c netfilter: conntrack: remove UDP-Lite conntrack support 2026-04-10 12:16:26 +02:00
nfnetlink_hook.c netfilter: add more netlink-based policy range checks 2026-04-08 07:51:30 +02:00
nfnetlink_log.c netfilter: nfnetlink: prefer skb_mac_header helpers 2026-04-10 12:16:26 +02:00
nfnetlink_osf.c netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check 2026-04-20 23:45:44 +02:00
nfnetlink_queue.c netfilter: nfnetlink: prefer skb_mac_header helpers 2026-04-10 12:16:26 +02:00
nfnetlink.c net: Add SPDX ids to some source files 2026-03-09 18:32:45 -07:00
nft_bitwise.c netfilter: nf_tables: add netlink policy based cap on registers 2026-04-08 07:51:31 +02:00
nft_byteorder.c netfilter: nf_tables: add netlink policy based cap on registers 2026-04-08 07:51:31 +02:00
nft_chain_filter.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2026-03-12 12:53:34 -07:00
nft_chain_nat.c netfilter: add missing module descriptions 2023-11-08 13:52:32 +01:00
nft_chain_route.c
nft_cmp.c netfilter: nf_tables: add netlink policy based cap on registers 2026-04-08 07:51:31 +02:00
nft_compat.c netfilter: add more netlink-based policy range checks 2026-04-08 07:51:30 +02:00
nft_connlimit.c netfilter: add more netlink-based policy range checks 2026-04-08 07:51:30 +02:00
nft_counter.c netfilter: nf_tables: remove register tracking infrastructure 2026-02-25 19:36:26 -08:00
nft_ct_fast.c
nft_ct.c netfilter: conntrack: remove UDP-Lite conntrack support 2026-04-10 12:16:26 +02:00
nft_dup_netdev.c netfilter: nf_tables: remove register tracking infrastructure 2026-02-25 19:36:26 -08:00
nft_dynset.c netfilter: add more netlink-based policy range checks 2026-04-08 07:51:30 +02:00
nft_exthdr.c netfilter: nf_tables: add netlink policy based cap on registers 2026-04-08 07:51:31 +02:00
nft_fib_inet.c netfilter: nf_tables: remove register tracking infrastructure 2026-02-25 19:36:26 -08:00
nft_fib_netdev.c netfilter: nf_tables: remove register tracking infrastructure 2026-02-25 19:36:26 -08:00
nft_fib.c netfilter: nf_tables: add netlink policy based cap on registers 2026-04-08 07:51:31 +02:00
nft_flow_offload.c netfilter: nf_tables: remove register tracking infrastructure 2026-02-25 19:36:26 -08:00
nft_fwd_netdev.c netfilter: nft_fwd_netdev: check ttl/hl before forwarding 2026-04-10 12:16:27 +02:00
nft_hash.c netfilter: nf_tables: add netlink policy based cap on registers 2026-04-08 07:51:31 +02:00
nft_immediate.c netfilter: nf_tables_offload: add nft_flow_action_entry_next() and use it 2026-04-08 07:51:31 +02:00
nft_inner.c netfilter: add more netlink-based policy range checks 2026-04-08 07:51:30 +02:00
nft_last.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2026-02-26 10:23:00 -08:00
nft_limit.c netfilter: add more netlink-based policy range checks 2026-04-08 07:51:30 +02:00
nft_log.c netfilter: add more netlink-based policy range checks 2026-04-08 07:51:30 +02:00
nft_lookup.c netfilter: nf_tables: add netlink policy based cap on registers 2026-04-08 07:51:31 +02:00
nft_masq.c netfilter: nf_tables: remove register tracking infrastructure 2026-02-25 19:36:26 -08:00
nft_meta.c netfilter: nft_meta: add double-tagged vlan and pppoe support 2026-04-08 07:51:31 +02:00
nft_nat.c netfilter: nf_tables: remove register tracking infrastructure 2026-02-25 19:36:26 -08:00
nft_numgen.c netfilter: nf_tables: add netlink policy based cap on registers 2026-04-08 07:51:31 +02:00
nft_objref.c netfilter: nf_tables: add netlink policy based cap on registers 2026-04-08 07:51:31 +02:00
nft_osf.c netfilter: nft_osf: restrict it to ipv4 2026-04-20 23:27:36 +02:00
nft_payload.c netfilter: nft_meta: add double-tagged vlan and pppoe support 2026-04-08 07:51:31 +02:00
nft_queue.c netfilter: add more netlink-based policy range checks 2026-04-08 07:51:30 +02:00
nft_quota.c netfilter: add more netlink-based policy range checks 2026-04-08 07:51:30 +02:00
nft_range.c netfilter: nf_tables: add netlink policy based cap on registers 2026-04-08 07:51:31 +02:00
nft_redir.c netfilter: nf_tables: remove register tracking infrastructure 2026-02-25 19:36:26 -08:00
nft_reject_inet.c netfilter: nf_tables: remove register tracking infrastructure 2026-02-25 19:36:26 -08:00
nft_reject_netdev.c netfilter: nf_tables: remove register tracking infrastructure 2026-02-25 19:36:26 -08:00
nft_reject.c netfilter: nf_tables: drop unused 3rd argument from validate callback ops 2024-09-03 10:47:17 +02:00
nft_rt.c netfilter: nf_tables: add netlink policy based cap on registers 2026-04-08 07:51:31 +02:00
nft_set_bitmap.c netfilter: nft_set_bitmap: fix lockdep splat due to missing annotation 2025-09-10 20:28:24 +02:00
nft_set_hash.c netfilter: nf_tables: clone set on flush only 2026-03-05 13:22:37 +01:00
nft_set_pipapo_avx2.c netfilter: nft_set_pipapo_avx2: remove redundant loop in lookup_slow 2026-04-08 07:51:31 +02:00
nft_set_pipapo_avx2.h netfilter: nft_set_pipapo: use avx2 algorithm for insertions too 2025-08-20 13:52:37 +02:00
nft_set_pipapo.c netfilter: nft_set_pipapo: increment data in one step 2026-04-08 07:51:31 +02:00
nft_set_pipapo.h netfilter: nft_set_pipapo: increment data in one step 2026-04-08 07:51:31 +02:00
nft_set_rbtree.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2026-03-26 12:09:57 -07:00
nft_socket.c netfilter: nf_tables: add netlink policy based cap on registers 2026-04-08 07:51:31 +02:00
nft_synproxy.c netfilter: add more netlink-based policy range checks 2026-04-08 07:51:30 +02:00
nft_tproxy.c netfilter: nf_tables: remove register tracking infrastructure 2026-02-25 19:36:26 -08:00
nft_tunnel.c netfilter: nf_tables: add netlink policy based cap on registers 2026-04-08 07:51:31 +02:00
nft_xfrm.c netfilter: nf_tables: add netlink policy based cap on registers 2026-04-08 07:51:31 +02:00
utils.c netfilter: remove nf_ipv6_ops and use direct function calls 2026-03-29 11:21:24 -07:00
x_tables.c netfilter: x_tables: Avoid a couple -Wflex-array-member-not-at-end warnings 2026-04-10 12:16:27 +02:00
xt_addrtype.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_AUDIT.c audit: add audit_log_nf_skb helper function 2025-12-16 11:04:14 -05:00
xt_bpf.c
xt_cgroup.c netfilter: x_tables: ensure names are nul-terminated 2026-04-01 11:55:29 +02:00
xt_CHECKSUM.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_CLASSIFY.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_cluster.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_comment.c
xt_connbytes.c net: Add SPDX ids to some source files 2026-03-09 18:32:45 -07:00
xt_connlabel.c
xt_connlimit.c net: Add SPDX ids to some source files 2026-03-09 18:32:45 -07:00
xt_connmark.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_CONNSECMARK.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_conntrack.c
xt_cpu.c
xt_CT.c netfilter: xt_CT: drop pending enqueued packets on template removal 2026-03-13 15:31:15 +01:00
xt_dccp.c netfilter: add deprecation warning for dccp support 2026-04-08 07:51:27 +02:00
xt_devgroup.c
xt_dscp.c
xt_DSCP.c
xt_ecn.c
xt_esp.c
xt_hashlimit.c Convert 'alloc_flex' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_helper.c
xt_hl.c netfilter: xt_HL: add pr_fmt and checkentry validation 2026-04-10 12:16:26 +02:00
xt_HL.c
xt_HMARK.c
xt_IDLETIMER.c netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels 2026-03-10 14:10:43 +01:00
xt_ipcomp.c
xt_iprange.c
xt_ipvs.c
xt_l2tp.c
xt_LED.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_length.c
xt_limit.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_LOG.c
xt_mac.c netfilter: xtables: restrict several matches to inet family 2026-04-20 23:27:52 +02:00
xt_mark.c netfilter: xtables: support arpt_mark and ipv6 optstrip for iptables-nft only builds 2025-05-22 17:16:02 +02:00
xt_MASQUERADE.c
xt_multiport.c netfilter: xt_multiport: validate range encoding in checkentry 2026-04-08 13:33:38 +02:00
xt_nat.c
xt_NETMAP.c
xt_nfacct.c netfilter: xt_nfacct: don't assume acct name is null-terminated 2025-07-25 18:40:43 +02:00
xt_NFLOG.c netfilter: xtables: fix typo causing some targets not to load on IPv6 2024-10-21 11:31:26 +02:00
xt_NFQUEUE.c
xt_osf.c
xt_owner.c netfilter: xtables: restrict several matches to inet family 2026-04-20 23:27:52 +02:00
xt_physdev.c netfilter: xtables: restrict several matches to inet family 2026-04-20 23:27:52 +02:00
xt_pkttype.c
xt_policy.c
xt_quota.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_rateest.c netfilter: x_tables: ensure names are nul-terminated 2026-04-01 11:55:29 +02:00
xt_RATEEST.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_realm.c netfilter: xtables: restrict several matches to inet family 2026-04-20 23:27:52 +02:00
xt_recent.c Convert 'alloc_flex' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_REDIRECT.c
xt_repldata.h netfilter: xtables: Use strscpy() instead of strscpy_pad() 2025-03-23 10:53:47 +01:00
xt_sctp.c netfilter: xt_sctp: validate the flag_info count 2023-08-30 17:34:01 +02:00
xt_SECMARK.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_set.c
xt_socket.c netfilter: xt_socket: enable defrag after all other checks 2026-04-10 12:16:26 +02:00
xt_state.c
xt_statistic.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_string.c
xt_tcpmss.c netfilter: xt_tcpmss: check remaining length before reading optlen 2026-01-20 16:23:38 +01:00
xt_TCPMSS.c
xt_TCPOPTSTRIP.c netfilter: xtables: support arpt_mark and ipv6 optstrip for iptables-nft only builds 2025-05-22 17:16:02 +02:00
xt_tcpudp.c netfilter: x_tables: guard option walkers against 1-byte tail reads 2026-03-10 14:10:42 +01:00
xt_TEE.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_time.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2026-03-19 14:16:00 -07:00
xt_TPROXY.c
xt_TRACE.c netfilter: xtables: fix typo causing some targets not to load on IPv6 2024-10-21 11:31:26 +02:00
xt_u32.c netfilter: xt_u32: validate user space input 2023-08-30 17:34:01 +02:00