netfilter: ip6t_NPT: Ensure to check lower part of prefixes are zero

RFC 6296 points that address bits that are not part of the prefix has to be zeroed. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: ip6t_NPT: Ensure to check lower part of prefixes are zero
RFC 6296 points that address bits that are not part of the prefix has to be zeroed. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
YOSHIFUJI Hideaki / 吉藤英明 · Pablo Neira Ayuso
1 parent d4c38fa87d
Showing 1 changed file with 10 additions and 0 deletions Side-by-side Diff
net/ipv6/netfilter/ip6t_NPT.c
@@ -9,6 +9,7 @@
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ipv6.h>
+#include <net/ipv6.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv6.h>
 #include <linux/netfilter_ipv6/ip6t_NPT.h>
  
@@ -18,9 +19,18 @@
 {
 	struct ip6t_npt_tginfo *npt = par->targinfo;
 	__wsum src_sum = 0, dst_sum = 0;
+	struct in6_addr pfx;
 	unsigned int i;
  
 	if (npt->src_pfx_len > 64 || npt->dst_pfx_len > 64)
+		return -EINVAL;
+
+	/* Ensure that LSB of prefix is zero */
+	ipv6_addr_prefix(&pfx, &npt->src_pfx.in6, npt->src_pfx_len);
+	if (!ipv6_addr_equal(&pfx, &npt->src_pfx.in6))
+		return -EINVAL;
+	ipv6_addr_prefix(&pfx, &npt->dst_pfx.in6, npt->dst_pfx_len);
+	if (!ipv6_addr_equal(&pfx, &npt->dst_pfx.in6))
 		return -EINVAL;
  
 	for (i = 0; i < ARRAY_SIZE(npt->src_pfx.in6.s6_addr16); i++) {
...	...	@@ -9,6 +9,7 @@
9	9	#include <linux/module.h>
10	10	#include <linux/skbuff.h>
11	11	#include <linux/ipv6.h>
	12	+#include <net/ipv6.h>
12	13	#include <linux/netfilter.h>
13	14	#include <linux/netfilter_ipv6.h>
14	15	#include <linux/netfilter_ipv6/ip6t_NPT.h>
15	16
...	...	@@ -18,9 +19,18 @@
18	19	{
19	20	struct ip6t_npt_tginfo *npt = par->targinfo;
20	21	__wsum src_sum = 0, dst_sum = 0;
	22	+ struct in6_addr pfx;
21	23	unsigned int i;
22	24
23	25	if (npt->src_pfx_len > 64 \|\| npt->dst_pfx_len > 64)
	26	+ return -EINVAL;
	27	+
	28	+ /* Ensure that LSB of prefix is zero */
	29	+ ipv6_addr_prefix(&pfx, &npt->src_pfx.in6, npt->src_pfx_len);
	30	+ if (!ipv6_addr_equal(&pfx, &npt->src_pfx.in6))
	31	+ return -EINVAL;
	32	+ ipv6_addr_prefix(&pfx, &npt->dst_pfx.in6, npt->dst_pfx_len);
	33	+ if (!ipv6_addr_equal(&pfx, &npt->dst_pfx.in6))
24	34	return -EINVAL;
25	35
26	36	for (i = 0; i < ARRAY_SIZE(npt->src_pfx.in6.s6_addr16); i++) {