Commit a13fbf5e authored by Xin Long's avatar Xin Long Committed by Jakub Kicinski

netfilter: use skb_ip_totlen and iph_totlen

There are also quite some places in netfilter that may process IPv4 TCP
GSO packets, we need to replace them too.

In length_mt(), we have to use u_int32_t/int to accept skb_ip_totlen()
return value, otherwise it may overflow and mismatch. This change will
also help us add selftest for IPv4 BIG TCP in the following patch.

Note that we don't need to replace the one in tcpmss_tg4(), as it will
return if there is data after tcphdr in tcpmss_mangle_packet(). The
same in mangle_contents() in nf_nat_helper.c, it returns false when
skb->len + extra > 65535 in enlarge_skb().
Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent 043e397e
...@@ -29,7 +29,7 @@ static inline int __nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt) ...@@ -29,7 +29,7 @@ static inline int __nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt)
if (iph->ihl < 5 || iph->version != 4) if (iph->ihl < 5 || iph->version != 4)
return -1; return -1;
len = ntohs(iph->tot_len); len = iph_totlen(pkt->skb, iph);
thoff = iph->ihl * 4; thoff = iph->ihl * 4;
if (pkt->skb->len < len) if (pkt->skb->len < len)
return -1; return -1;
...@@ -64,7 +64,7 @@ static inline int nft_set_pktinfo_ipv4_ingress(struct nft_pktinfo *pkt) ...@@ -64,7 +64,7 @@ static inline int nft_set_pktinfo_ipv4_ingress(struct nft_pktinfo *pkt)
if (iph->ihl < 5 || iph->version != 4) if (iph->ihl < 5 || iph->version != 4)
goto inhdr_error; goto inhdr_error;
len = ntohs(iph->tot_len); len = iph_totlen(pkt->skb, iph);
thoff = iph->ihl * 4; thoff = iph->ihl * 4;
if (pkt->skb->len < len) { if (pkt->skb->len < len) {
__IP_INC_STATS(nft_net(pkt), IPSTATS_MIB_INTRUNCATEDPKTS); __IP_INC_STATS(nft_net(pkt), IPSTATS_MIB_INTRUNCATEDPKTS);
......
...@@ -994,7 +994,7 @@ ip_vs_prepare_tunneled_skb(struct sk_buff *skb, int skb_af, ...@@ -994,7 +994,7 @@ ip_vs_prepare_tunneled_skb(struct sk_buff *skb, int skb_af,
old_dsfield = ipv4_get_dsfield(old_iph); old_dsfield = ipv4_get_dsfield(old_iph);
*ttl = old_iph->ttl; *ttl = old_iph->ttl;
if (payload_len) if (payload_len)
*payload_len = ntohs(old_iph->tot_len); *payload_len = skb_ip_totlen(skb);
} }
/* Implement full-functionality option for ECN encapsulation */ /* Implement full-functionality option for ECN encapsulation */
......
...@@ -322,7 +322,7 @@ dump_ipv4_packet(struct net *net, struct nf_log_buf *m, ...@@ -322,7 +322,7 @@ dump_ipv4_packet(struct net *net, struct nf_log_buf *m,
/* Max length: 46 "LEN=65535 TOS=0xFF PREC=0xFF TTL=255 ID=65535 " */ /* Max length: 46 "LEN=65535 TOS=0xFF PREC=0xFF TTL=255 ID=65535 " */
nf_log_buf_add(m, "LEN=%u TOS=0x%02X PREC=0x%02X TTL=%u ID=%u ", nf_log_buf_add(m, "LEN=%u TOS=0x%02X PREC=0x%02X TTL=%u ID=%u ",
ntohs(ih->tot_len), ih->tos & IPTOS_TOS_MASK, iph_totlen(skb, ih), ih->tos & IPTOS_TOS_MASK,
ih->tos & IPTOS_PREC_MASK, ih->ttl, ntohs(ih->id)); ih->tos & IPTOS_PREC_MASK, ih->ttl, ntohs(ih->id));
/* Max length: 6 "CE DF MF " */ /* Max length: 6 "CE DF MF " */
......
...@@ -21,7 +21,7 @@ static bool ...@@ -21,7 +21,7 @@ static bool
length_mt(const struct sk_buff *skb, struct xt_action_param *par) length_mt(const struct sk_buff *skb, struct xt_action_param *par)
{ {
const struct xt_length_info *info = par->matchinfo; const struct xt_length_info *info = par->matchinfo;
u_int16_t pktlen = ntohs(ip_hdr(skb)->tot_len); u32 pktlen = skb_ip_totlen(skb);
return (pktlen >= info->min && pktlen <= info->max) ^ info->invert; return (pktlen >= info->min && pktlen <= info->max) ^ info->invert;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment