Gh0st
/
linux
mirror of https://github.com/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux/net/netfilter
History
Weiming Shi dbdfaae960 nfnetlink_osf: validate individual option lengths in fingerprints 
nfnl_osf_add_callback() validates opt_num bounds and string
NUL-termination but does not check individual option length fields.
A zero-length option causes nf_osf_match_one() to enter the option
matching loop even when foptsize sums to zero, which matches packets
with no TCP options where ctx->optp is NULL:

 Oops: general protection fault
 KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
 RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)
 Call Trace:
  nf_osf_match (net/netfilter/nfnetlink_osf.c:227)
  xt_osf_match_packet (net/netfilter/xt_osf.c:32)
  ipt_do_table (net/ipv4/netfilter/ip_tables.c:293)
  nf_hook_slow (net/netfilter/core.c:623)
  ip_local_deliver (net/ipv4/ip_input.c:262)
  ip_rcv (net/ipv4/ip_input.c:573)

Additionally, an MSS option (kind=2) with length < 4 causes
out-of-bounds reads when nf_osf_match_one() unconditionally accesses
optp[2] and optp[3] for MSS value extraction.  While RFC 9293
section 3.2 specifies that the MSS option is always exactly 4
bytes (Kind=2, Length=4), the check uses "< 4" rather than
"!= 4" because lengths greater than 4 do not cause memory
safety issues -- the buffer is guaranteed to be at least
foptsize bytes by the ctx->optsize == foptsize check.

Reject fingerprints where any option has zero length, or where an MSS
option has length less than 4, at add time rather than trusting these
values in the packet matching hot path.

Fixes: 11eeef41d5 ("netfilter: passive OS fingerprint xtables match")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
 		2026-03-19 10:27:07 +01:00
..
ipset Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
ipvs Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses 2026-02-22 08:26:33 -08:00
Kconfig netfilter: Exclude LEGACY TABLES on PREEMPT_RT. 2025-07-25 18:38:50 +02:00
Makefile netfilter: flowtable: move path discovery infrastructure to its own file 2025-11-27 23:59:43 +00:00
core.c netfilter: nf_dup{4, 6}: Move duplication check to task_struct 2025-05-23 13:57:12 +02:00
nf_bpf_link.c netfilter: bpf: defer hook memory release until rcu readers are done 2026-03-19 10:26:31 +01:00
nf_conncount.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
nf_conntrack_acct.c
nf_conntrack_amanda.c netfilter: annotate NAT helper hook pointers with __rcu 2026-02-17 15:04:20 +01:00
nf_conntrack_bpf.c Networking changes for 7.0 2026-02-11 19:31:52 -08:00
nf_conntrack_broadcast.c netfilter: conntrack: remove skb argument from nf_ct_refresh 2025-01-19 16:41:55 +01:00
nf_conntrack_core.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
nf_conntrack_ecache.c net: replace use of system_wq with system_percpu_wq 2025-09-22 17:40:30 -07:00
nf_conntrack_expect.c treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
nf_conntrack_extend.c
nf_conntrack_ftp.c netfilter: annotate NAT helper hook pointers with __rcu 2026-02-17 15:04:20 +01:00
nf_conntrack_h323_asn1.c netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() 2026-03-13 15:31:15 +01:00
nf_conntrack_h323_main.c netfilter: nf_conntrack_h323: don't pass uninitialised l3num value 2026-02-17 15:04:20 +01:00
nf_conntrack_h323_types.c
nf_conntrack_helper.c netfilter: conntrack: helper: Replace -EEXIST by -EBUSY 2025-08-27 11:53:38 +02:00
nf_conntrack_irc.c netfilter: annotate NAT helper hook pointers with __rcu 2026-02-17 15:04:20 +01:00
nf_conntrack_labels.c
nf_conntrack_netbios_ns.c
nf_conntrack_netlink.c netfilter: conntrack: add missing netlink policy validations 2026-03-13 15:31:14 +01:00
nf_conntrack_ovs.c net/ipv6: Introduce payload_len helpers 2026-02-06 20:50:03 -08:00
nf_conntrack_pptp.c
nf_conntrack_proto.c netfilter: conntrack: remove DCCP protocol support 2025-07-03 13:51:39 +02:00
nf_conntrack_proto_generic.c netfilter: nf_conntrack: Add allow_clash to generic protocol handler 2026-01-20 16:23:37 +01:00
nf_conntrack_proto_gre.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
nf_conntrack_proto_icmp.c netfilter: nf_conntrack: enable icmp clash support 2026-01-20 16:23:37 +01:00
nf_conntrack_proto_icmpv6.c netfilter: nf_conntrack: enable icmp clash support 2026-01-20 16:23:37 +01:00
nf_conntrack_proto_sctp.c netfilter: conntrack: add missing netlink policy validations 2026-03-13 15:31:14 +01:00
nf_conntrack_proto_tcp.c move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
nf_conntrack_proto_udp.c
nf_conntrack_sane.c
nf_conntrack_seqadj.c
nf_conntrack_sip.c netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp() 2026-03-13 15:31:14 +01:00
nf_conntrack_snmp.c netfilter: annotate NAT helper hook pointers with __rcu 2026-02-17 15:04:20 +01:00
nf_conntrack_standalone.c netfilter: conntrack: disable 0 value for conntrack_max setting 2025-10-30 12:52:45 +01:00
nf_conntrack_tftp.c netfilter: annotate NAT helper hook pointers with __rcu 2026-02-17 15:04:20 +01:00
nf_conntrack_timeout.c
nf_conntrack_timestamp.c
nf_dup_netdev.c netfilter: nf_dup_netdev: Move the recursion counter struct netdev_xmit 2025-05-23 13:57:12 +02:00
nf_flow_table_bpf.c bpf: Remove redundant KF_TRUSTED_ARGS flag from all kfuncs 2026-01-02 12:04:28 -08:00
nf_flow_table_core.c netfilter: flowtable: dedicated slab for flow entry 2026-02-06 13:34:55 +01:00
nf_flow_table_inet.c net: netfilter: move nf flowtable bpf initialization in nf_flow_table_module_init() 2024-09-12 15:41:03 +02:00
nf_flow_table_ip.c netfilter: nf_flow_table_ip: reset mac header before vlan push 2026-03-13 15:31:15 +01:00
nf_flow_table_offload.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
nf_flow_table_path.c netfilter: nf_conntrack: don't rely on implicit includes 2026-01-20 16:23:37 +01:00
nf_flow_table_procfs.c
nf_flow_table_xdp.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
nf_hooks_lwtunnel.c sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
nf_internals.h
nf_log.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
nf_log_syslog.c net/ipv6: Introduce payload_len helpers 2026-02-06 20:50:03 -08:00
nf_nat_amanda.c
nf_nat_bpf.c bpf: Remove redundant KF_TRUSTED_ARGS flag from all kfuncs 2026-01-02 12:04:28 -08:00
nf_nat_core.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
nf_nat_ftp.c
nf_nat_helper.c
nf_nat_irc.c
nf_nat_masquerade.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
nf_nat_ovs.c netfilter: nf_conntrack: don't rely on implicit includes 2026-01-20 16:23:37 +01:00
nf_nat_proto.c netfilter: nf_conntrack: don't rely on implicit includes 2026-01-20 16:23:37 +01:00
nf_nat_redirect.c
nf_nat_sip.c
nf_nat_tftp.c
nf_queue.c
nf_sockopt.c
nf_synproxy_core.c netfilter: don't include xt and nftables.h in unrelated subsystems 2026-01-20 16:23:37 +01:00
nf_tables_api.c netfilter: nf_tables: release flowtable after rcu grace period on error 2026-03-19 10:26:31 +01:00
nf_tables_core.c netfilter: nf_tables: Only use nf_skip_indirect_calls() when MITIGATION_RETPOLINE 2025-03-23 10:53:47 +01:00
nf_tables_offload.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
nf_tables_trace.c netfilter: nf_tables: hide clash bit from userspace 2025-07-14 15:22:35 +02:00
nfnetlink.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
nfnetlink_acct.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
nfnetlink_cthelper.c netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table() 2026-03-10 14:10:42 +01:00
nfnetlink_cttimeout.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
nfnetlink_hook.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
nfnetlink_log.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
nfnetlink_osf.c nfnetlink_osf: validate individual option lengths in fingerprints 2026-03-19 10:27:07 +01:00
nfnetlink_queue.c netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path 2026-03-10 14:10:42 +01:00
nft_bitwise.c netfilter: bitwise: add support for doing AND, OR and XOR directly 2024-11-15 12:07:04 +01:00
nft_byteorder.c move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
nft_chain_filter.c netfilter: nf_tables: Fix for duplicate device in netdev hooks 2026-03-10 14:10:42 +01:00
nft_chain_nat.c
nft_chain_route.c
nft_cmp.c netfilter: nf_tables: pass context structure to nft_parse_register_load 2024-08-20 12:37:24 +02:00
nft_compat.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
nft_connlimit.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
nft_counter.c netfilter: nft_counter: serialize reset with spinlock 2026-02-17 15:04:20 +01:00
nft_ct.c netfilter: nft_ct: drop pending enqueued packets on removal 2026-03-13 15:31:15 +01:00
nft_ct_fast.c
nft_dup_netdev.c netfilter: nf_tables: pass context structure to nft_parse_register_load 2024-08-20 12:37:24 +02:00
nft_dynset.c nf_tables: nft_dynset: fix possible stateful expression memleak in error path 2026-03-13 15:31:15 +01:00
nft_exthdr.c netfilter: conntrack: remove DCCP protocol support 2025-07-03 13:51:39 +02:00
nft_fib.c netfilter: nf_tables: drop unused 3rd argument from validate callback ops 2024-09-03 10:47:17 +02:00
nft_fib_inet.c
nft_fib_netdev.c
nft_flow_offload.c netfilter: nf_conntrack: don't rely on implicit includes 2026-01-20 16:23:37 +01:00
nft_fwd_netdev.c netfilter: nf_tables: drop unused 3rd argument from validate callback ops 2024-09-03 10:47:17 +02:00
nft_hash.c netfilter: nf_tables: pass context structure to nft_parse_register_load 2024-08-20 12:37:24 +02:00
nft_immediate.c netfilter: nf_tables: drop unused 3rd argument from validate callback ops 2024-09-03 10:47:17 +02:00
nft_inner.c netfilter: nft_inner: Use nested-BH locking for nft_pcpu_tun_ctx 2025-05-23 13:57:12 +02:00
nft_last.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
nft_limit.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
nft_log.c audit: add audit_log_nf_skb helper function 2025-12-16 11:04:14 -05:00
nft_lookup.c netfilter: nf_tables: use C99 struct initializer for nft_set_iter 2025-10-30 12:52:45 +01:00
nft_masq.c netfilter: nf_tables: drop unused 3rd argument from validate callback ops 2024-09-03 10:47:17 +02:00
nft_meta.c netfilter: nf_tables: missing objects with no memcg accounting 2024-09-26 13:03:02 +02:00
nft_nat.c netfilter: nf_tables: drop unused 3rd argument from validate callback ops 2024-09-03 10:47:17 +02:00
nft_numgen.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
nft_objref.c netfilter: nft_objref: validate objref and objrefmap expressions 2025-10-08 13:17:25 +02:00
nft_osf.c netfilter: nf_tables: drop unused 3rd argument from validate callback ops 2024-09-03 10:47:17 +02:00
nft_payload.c netfilter: nft_payload: extend offset to 65535 bytes 2025-09-02 15:28:18 +02:00
nft_queue.c netfilter: nf_tables: drop unused 3rd argument from validate callback ops 2024-09-03 10:47:17 +02:00
nft_quota.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
nft_range.c netfilter: nf_tables: pass context structure to nft_parse_register_load 2024-08-20 12:37:24 +02:00
nft_redir.c netfilter: nf_tables: drop unused 3rd argument from validate callback ops 2024-09-03 10:47:17 +02:00
nft_reject.c netfilter: nf_tables: drop unused 3rd argument from validate callback ops 2024-09-03 10:47:17 +02:00
nft_reject_inet.c netfilter: nf_tables: drop unused 3rd argument from validate callback ops 2024-09-03 10:47:17 +02:00
nft_reject_netdev.c netfilter: nf_tables: drop unused 3rd argument from validate callback ops 2024-09-03 10:47:17 +02:00
nft_rt.c netfilter: nf_tables: drop unused 3rd argument from validate callback ops 2024-09-03 10:47:17 +02:00
nft_set_bitmap.c netfilter: nft_set_bitmap: fix lockdep splat due to missing annotation 2025-09-10 20:28:24 +02:00
nft_set_hash.c netfilter: nf_tables: clone set on flush only 2026-03-05 13:22:37 +01:00
nft_set_pipapo.c netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop() 2026-03-10 14:10:42 +01:00
nft_set_pipapo.h netfilter: nft_set_pipapo: split gc into unlink and reclaim phase 2026-03-05 13:22:37 +01:00
nft_set_pipapo_avx2.c netfilter: nft_set_pipapo_avx2: fix skip of expired entries 2025-09-24 11:50:28 +02:00
nft_set_pipapo_avx2.h netfilter: nft_set_pipapo: use avx2 algorithm for insertions too 2025-08-20 13:52:37 +02:00
nft_set_rbtree.c netfilter: revert nft_set_rbtree: validate open interval overlap 2026-03-13 15:31:14 +01:00
nft_socket.c netfilter: nft_socket: remove WARN_ON_ONCE with huge level value 2025-08-07 13:19:26 +02:00
nft_synproxy.c netfilter: don't include xt and nftables.h in unrelated subsystems 2026-01-20 16:23:37 +01:00
nft_tproxy.c netfilter: nf_tables: drop unused 3rd argument from validate callback ops 2024-09-03 10:47:17 +02:00
nft_tunnel.c netfilter: nft_tunnel: fix geneve_opt dump 2025-05-23 13:57:12 +02:00
nft_xfrm.c xfrm: add generic iptfs defines and functionality 2024-12-05 10:01:28 +01:00
utils.c
x_tables.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_AUDIT.c audit: add audit_log_nf_skb helper function 2025-12-16 11:04:14 -05:00
xt_CHECKSUM.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_CLASSIFY.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_CONNSECMARK.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_CT.c netfilter: xt_CT: drop pending enqueued packets on template removal 2026-03-13 15:31:15 +01:00
xt_DSCP.c
xt_HL.c
xt_HMARK.c
xt_IDLETIMER.c netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels 2026-03-10 14:10:43 +01:00
xt_LED.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_LOG.c
xt_MASQUERADE.c
xt_NETMAP.c
xt_NFLOG.c netfilter: xtables: fix typo causing some targets not to load on IPv6 2024-10-21 11:31:26 +02:00
xt_NFQUEUE.c
xt_RATEEST.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_REDIRECT.c
xt_SECMARK.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_TCPMSS.c
xt_TCPOPTSTRIP.c netfilter: xtables: support arpt_mark and ipv6 optstrip for iptables-nft only builds 2025-05-22 17:16:02 +02:00
xt_TEE.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_TPROXY.c
xt_TRACE.c netfilter: xtables: fix typo causing some targets not to load on IPv6 2024-10-21 11:31:26 +02:00
xt_addrtype.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_bpf.c
xt_cgroup.c net: cgroup: Guard users of sock_cgroup_classid() 2025-04-24 16:04:02 +02:00
xt_cluster.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_comment.c
xt_connbytes.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_connlabel.c
xt_connlimit.c netfilter: nf_conncount: rework API to use sk_buff directly 2025-11-28 00:05:49 +00:00
xt_connmark.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_conntrack.c
xt_cpu.c
xt_dccp.c netfilter: x_tables: guard option walkers against 1-byte tail reads 2026-03-10 14:10:42 +01:00
xt_devgroup.c
xt_dscp.c
xt_ecn.c
xt_esp.c
xt_hashlimit.c Convert 'alloc_flex' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_helper.c
xt_hl.c
xt_ipcomp.c
xt_iprange.c
xt_ipvs.c
xt_l2tp.c
xt_length.c
xt_limit.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_mac.c
xt_mark.c netfilter: xtables: support arpt_mark and ipv6 optstrip for iptables-nft only builds 2025-05-22 17:16:02 +02:00
xt_multiport.c
xt_nat.c
xt_nfacct.c netfilter: xt_nfacct: don't assume acct name is null-terminated 2025-07-25 18:40:43 +02:00
xt_osf.c
xt_owner.c
xt_physdev.c
xt_pkttype.c
xt_policy.c
xt_quota.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_rateest.c
xt_realm.c
xt_recent.c Convert 'alloc_flex' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_repldata.h netfilter: xtables: Use strscpy() instead of strscpy_pad() 2025-03-23 10:53:47 +01:00
xt_sctp.c
xt_set.c
xt_socket.c
xt_state.c
xt_statistic.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
xt_string.c
xt_tcpmss.c netfilter: xt_tcpmss: check remaining length before reading optlen 2026-01-20 16:23:38 +01:00
xt_tcpudp.c netfilter: x_tables: guard option walkers against 1-byte tail reads 2026-03-10 14:10:42 +01:00
xt_time.c netfilter: xt_time: use unsigned int for monthday bit shift 2026-03-13 15:31:15 +01:00
xt_u32.c