Gh0st
/
linux
mirror of https://github.com/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux/net/netfilter
History
David Carlier 8f15b5071b netfilter: ctnetlink: use netlink policy range checks 
Replace manual range and mask validations with netlink policy
annotations in ctnetlink code paths, so that the netlink core rejects
invalid values early and can generate extack errors.

- CTA_PROTOINFO_TCP_STATE: reject values > TCP_CONNTRACK_SYN_SENT2 at
  policy level, removing the manual >= TCP_CONNTRACK_MAX check.
- CTA_PROTOINFO_TCP_WSCALE_ORIGINAL/REPLY: reject values > TCP_MAX_WSCALE
  (14). The normal TCP option parsing path already clamps to this value,
  but the ctnetlink path accepted 0-255, causing undefined behavior when
  used as a u32 shift count.
- CTA_FILTER_ORIG_FLAGS/REPLY_FLAGS: use NLA_POLICY_MASK with
  CTA_FILTER_F_ALL, removing the manual mask checks.
- CTA_EXPECT_FLAGS: use NLA_POLICY_MASK with NF_CT_EXPECT_MASK, adding
  a new mask define grouping all valid expect flags.

Extracted from a broader nf-next patch by Florian Westphal, scoped to
ctnetlink for the fixes tree.

Fixes: c8e2078cfe ("[NETFILTER]: ctnetlink: add support for internal tcp connection tracking flags handling")
Signed-off-by: David Carlier <devnexen@gmail.com>
Co-developed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 		2026-03-26 13:28:17 +01:00
..
ipset Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
ipvs Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses 2026-02-22 08:26:33 -08:00
Kconfig
Makefile netfilter: flowtable: move path discovery infrastructure to its own file 2025-11-27 23:59:43 +00:00
core.c
nf_bpf_link.c netfilter: bpf: defer hook memory release until rcu readers are done 2026-03-19 10:26:31 +01:00
nf_conncount.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
nf_conntrack_acct.c
nf_conntrack_amanda.c netfilter: annotate NAT helper hook pointers with __rcu 2026-02-17 15:04:20 +01:00
nf_conntrack_bpf.c Networking changes for 7.0 2026-02-11 19:31:52 -08:00
nf_conntrack_broadcast.c netfilter: nf_conntrack_expect: store netns and zone in expectation 2026-03-26 13:24:40 +01:00
nf_conntrack_core.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
nf_conntrack_ecache.c netfilter: ctnetlink: ensure safe access to master conntrack 2026-03-26 13:18:32 +01:00
nf_conntrack_expect.c netfilter: nf_conntrack_expect: skip expectations in other netns via proc 2026-03-26 13:28:03 +01:00
nf_conntrack_extend.c
nf_conntrack_ftp.c netfilter: annotate NAT helper hook pointers with __rcu 2026-02-17 15:04:20 +01:00
nf_conntrack_h323_asn1.c netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() 2026-03-13 15:31:15 +01:00
nf_conntrack_h323_main.c netfilter: nf_conntrack_expect: honor expectation helper field 2026-03-26 13:18:31 +01:00
nf_conntrack_h323_types.c
nf_conntrack_helper.c netfilter: nf_conntrack_expect: use expect->helper 2026-03-26 13:18:31 +01:00
nf_conntrack_irc.c netfilter: annotate NAT helper hook pointers with __rcu 2026-02-17 15:04:20 +01:00
nf_conntrack_labels.c
nf_conntrack_netbios_ns.c
nf_conntrack_netlink.c netfilter: ctnetlink: use netlink policy range checks 2026-03-26 13:28:17 +01:00
nf_conntrack_ovs.c net/ipv6: Introduce payload_len helpers 2026-02-06 20:50:03 -08:00
nf_conntrack_pptp.c
nf_conntrack_proto.c
nf_conntrack_proto_generic.c netfilter: nf_conntrack: Add allow_clash to generic protocol handler 2026-01-20 16:23:37 +01:00
nf_conntrack_proto_gre.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
nf_conntrack_proto_icmp.c netfilter: nf_conntrack: enable icmp clash support 2026-01-20 16:23:37 +01:00
nf_conntrack_proto_icmpv6.c netfilter: nf_conntrack: enable icmp clash support 2026-01-20 16:23:37 +01:00
nf_conntrack_proto_sctp.c netfilter: conntrack: add missing netlink policy validations 2026-03-13 15:31:14 +01:00
nf_conntrack_proto_tcp.c netfilter: ctnetlink: use netlink policy range checks 2026-03-26 13:28:17 +01:00
nf_conntrack_proto_udp.c
nf_conntrack_sane.c
nf_conntrack_seqadj.c
nf_conntrack_sip.c netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp 2026-03-26 13:28:17 +01:00
nf_conntrack_snmp.c netfilter: annotate NAT helper hook pointers with __rcu 2026-02-17 15:04:20 +01:00
nf_conntrack_standalone.c
nf_conntrack_tftp.c netfilter: annotate NAT helper hook pointers with __rcu 2026-02-17 15:04:20 +01:00
nf_conntrack_timeout.c
nf_conntrack_timestamp.c
nf_dup_netdev.c
nf_flow_table_bpf.c bpf: Remove redundant KF_TRUSTED_ARGS flag from all kfuncs 2026-01-02 12:04:28 -08:00
nf_flow_table_core.c netfilter: flowtable: dedicated slab for flow entry 2026-02-06 13:34:55 +01:00
nf_flow_table_inet.c
nf_flow_table_ip.c netfilter: nf_flow_table_ip: reset mac header before vlan push 2026-03-13 15:31:15 +01:00
nf_flow_table_offload.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
nf_flow_table_path.c netfilter: nf_conntrack: don't rely on implicit includes 2026-01-20 16:23:37 +01:00
nf_flow_table_procfs.c
nf_flow_table_xdp.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
nf_hooks_lwtunnel.c
nf_internals.h
nf_log.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
nf_log_syslog.c net/ipv6: Introduce payload_len helpers 2026-02-06 20:50:03 -08:00
nf_nat_amanda.c
nf_nat_bpf.c bpf: Remove redundant KF_TRUSTED_ARGS flag from all kfuncs 2026-01-02 12:04:28 -08:00
nf_nat_core.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
nf_nat_ftp.c
nf_nat_helper.c
nf_nat_irc.c
nf_nat_masquerade.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
nf_nat_ovs.c netfilter: nf_conntrack: don't rely on implicit includes 2026-01-20 16:23:37 +01:00
nf_nat_proto.c netfilter: nf_conntrack: don't rely on implicit includes 2026-01-20 16:23:37 +01:00
nf_nat_redirect.c
nf_nat_sip.c
nf_nat_tftp.c
nf_queue.c
nf_sockopt.c
nf_synproxy_core.c netfilter: don't include xt and nftables.h in unrelated subsystems 2026-01-20 16:23:37 +01:00
nf_tables_api.c netfilter: nf_tables: release flowtable after rcu grace period on error 2026-03-19 10:26:31 +01:00
nf_tables_core.c
nf_tables_offload.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
nf_tables_trace.c
nfnetlink.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
nfnetlink_acct.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
nfnetlink_cthelper.c netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table() 2026-03-10 14:10:42 +01:00
nfnetlink_cttimeout.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
nfnetlink_hook.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
nfnetlink_log.c netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD 2026-03-26 13:15:46 +01:00
nfnetlink_osf.c nfnetlink_osf: validate individual option lengths in fingerprints 2026-03-19 10:27:07 +01:00
nfnetlink_queue.c netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path 2026-03-10 14:10:42 +01:00
nft_bitwise.c
nft_byteorder.c
nft_chain_filter.c netfilter: nf_tables: Fix for duplicate device in netdev hooks 2026-03-10 14:10:42 +01:00
nft_chain_nat.c
nft_chain_route.c
nft_cmp.c
nft_compat.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
nft_connlimit.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
nft_counter.c netfilter: nft_counter: serialize reset with spinlock 2026-02-17 15:04:20 +01:00
nft_ct.c netfilter: nft_ct: drop pending enqueued packets on removal 2026-03-13 15:31:15 +01:00
nft_ct_fast.c
nft_dup_netdev.c
nft_dynset.c nf_tables: nft_dynset: fix possible stateful expression memleak in error path 2026-03-13 15:31:15 +01:00
nft_exthdr.c
nft_fib.c
nft_fib_inet.c
nft_fib_netdev.c
nft_flow_offload.c netfilter: nf_conntrack: don't rely on implicit includes 2026-01-20 16:23:37 +01:00
nft_fwd_netdev.c
nft_hash.c
nft_immediate.c
nft_inner.c
nft_last.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
nft_limit.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
nft_log.c audit: add audit_log_nf_skb helper function 2025-12-16 11:04:14 -05:00
nft_lookup.c
nft_masq.c
nft_meta.c
nft_nat.c
nft_numgen.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
nft_objref.c
nft_osf.c
nft_payload.c
nft_queue.c
nft_quota.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
nft_range.c
nft_redir.c
nft_reject.c
nft_reject_inet.c
nft_reject_netdev.c
nft_rt.c
nft_set_bitmap.c
nft_set_hash.c netfilter: nf_tables: clone set on flush only 2026-03-05 13:22:37 +01:00
nft_set_pipapo.c netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop() 2026-03-10 14:10:42 +01:00
nft_set_pipapo.h netfilter: nft_set_pipapo: split gc into unlink and reclaim phase 2026-03-05 13:22:37 +01:00
nft_set_pipapo_avx2.c netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry 2026-03-25 21:38:27 +01:00
nft_set_pipapo_avx2.h
nft_set_rbtree.c netfilter: nft_set_rbtree: revisit array resize logic 2026-03-26 13:18:31 +01:00
nft_socket.c
nft_synproxy.c netfilter: don't include xt and nftables.h in unrelated subsystems 2026-01-20 16:23:37 +01:00
nft_tproxy.c
nft_tunnel.c
nft_xfrm.c
utils.c
x_tables.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_AUDIT.c audit: add audit_log_nf_skb helper function 2025-12-16 11:04:14 -05:00
xt_CHECKSUM.c
xt_CLASSIFY.c
xt_CONNSECMARK.c
xt_CT.c netfilter: xt_CT: drop pending enqueued packets on template removal 2026-03-13 15:31:15 +01:00
xt_DSCP.c
xt_HL.c
xt_HMARK.c
xt_IDLETIMER.c netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels 2026-03-10 14:10:43 +01:00
xt_LED.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_LOG.c
xt_MASQUERADE.c
xt_NETMAP.c
xt_NFLOG.c
xt_NFQUEUE.c
xt_RATEEST.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_REDIRECT.c
xt_SECMARK.c
xt_TCPMSS.c
xt_TCPOPTSTRIP.c
xt_TEE.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_TPROXY.c
xt_TRACE.c
xt_addrtype.c
xt_bpf.c
xt_cgroup.c
xt_cluster.c
xt_comment.c
xt_connbytes.c
xt_connlabel.c
xt_connlimit.c netfilter: nf_conncount: rework API to use sk_buff directly 2025-11-28 00:05:49 +00:00
xt_connmark.c
xt_conntrack.c
xt_cpu.c
xt_dccp.c netfilter: x_tables: guard option walkers against 1-byte tail reads 2026-03-10 14:10:42 +01:00
xt_devgroup.c
xt_dscp.c
xt_ecn.c
xt_esp.c
xt_hashlimit.c Convert 'alloc_flex' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_helper.c
xt_hl.c
xt_ipcomp.c
xt_iprange.c
xt_ipvs.c
xt_l2tp.c
xt_length.c
xt_limit.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_mac.c
xt_mark.c
xt_multiport.c
xt_nat.c
xt_nfacct.c
xt_osf.c
xt_owner.c
xt_physdev.c
xt_pkttype.c
xt_policy.c
xt_quota.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_rateest.c
xt_realm.c
xt_recent.c Convert 'alloc_flex' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_repldata.h
xt_sctp.c
xt_set.c
xt_socket.c
xt_state.c
xt_statistic.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_string.c
xt_tcpmss.c netfilter: xt_tcpmss: check remaining length before reading optlen 2026-01-20 16:23:38 +01:00
xt_tcpudp.c netfilter: x_tables: guard option walkers against 1-byte tail reads 2026-03-10 14:10:42 +01:00
xt_time.c netfilter: xt_time: use unsigned int for monthday bit shift 2026-03-13 15:31:15 +01:00
xt_u32.c