public-mirrors/linux
1
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-08-05 16:54:27 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/net
History
Guillaume Nault ea64d8d6c6 netfilter: nat: never update the UDP checksum when it's 0 
If the UDP header of a local VXLAN endpoint is NAT-ed, and the VXLAN
device has disabled UDP checksums and enabled Tx checksum offloading,
then the skb passed to udp_manip_pkt() has hdr->check == 0 (outer
checksum disabled) and skb->ip_summed == CHECKSUM_PARTIAL (inner packet
checksum offloaded).

Because of the ->ip_summed value, udp_manip_pkt() tries to update the
outer checksum with the new address and port, leading to an invalid
checksum sent on the wire, as the original null checksum obviously
didn't take the old address and port into account.

So, we can't take ->ip_summed into account in udp_manip_pkt(), as it
might not refer to the checksum we're acting on. Instead, we can base
the decision to update the UDP checksum entirely on the value of
hdr->check, because it's null if and only if checksum is disabled:

  * A fully computed checksum can't be 0, since a 0 checksum is
    represented by the CSUM_MANGLED_0 value instead.

  * A partial checksum can't be 0, since the pseudo-header always adds
    at least one non-zero value (the UDP protocol type 0x11) and adding
    more values to the sum can't make it wrap to 0 as the carry is then
    added to the wrapped number.

  * A disabled checksum uses the special value 0.

The problem seems to be there from day one, although it was probably
not visible before UDP tunnels were implemented.

Fixes: 5b1158e909 ("[NETFILTER]: Add NAT support for nf_conntrack")
Signed-off-by: Guillaume Nault <gnault@redhat.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2020-04-26 23:57:18 +02:00
..
6lowpan
9p 9pnet: allow making incomplete read requests 2020-03-27 09:29:56 +00:00
802
8021q
appletalk
atm
ax25
batman-adv
bluetooth Bluetooth: L2CAP: Use DEFER_SETUP to group ECRED connections 2020-03-25 22:16:08 +01:00
bpf bpf: Fix build warning regarding missing prototypes 2020-03-28 18:13:18 +01:00
bpfilter SPDX patches for 5.7-rc1. 2020-04-03 13:12:26 -07:00
bridge
caif
can
ceph libceph: directly skip to the end of redirect reply 2020-03-30 12:42:41 +02:00
core net: remove obsolete comment 2020-04-25 20:49:32 -07:00
dcb
dccp
decnet Remove DST_HOST 2020-03-23 21:57:44 -07:00
dns_resolver KEYS: Don't write out to userspace while holding key semaphore 2020-03-29 12:40:41 +01:00
dsa net: dsa: don't fail to probe if we couldn't set the MTU 2020-04-22 19:22:59 -07:00
ethernet
ethtool ethtool: provide timestamping information with TSINFO_GET request 2020-03-29 22:32:37 -07:00
hsr hsr: check protocol version in hsr_newlink() 2020-04-07 18:34:18 -07:00
ieee802154
ife
ipv4 ipv4: Update fib_select_default to handle nexthop objects 2020-04-22 19:57:39 -07:00
ipv6 xfrm: Always set XFRM_TRANSFORMED in xfrm{4,6}_output_finish 2020-04-22 12:32:11 -07:00
iucv
kcm
key
l2tp l2tp: Allow management of tunnels and session in user namespace 2020-04-08 14:30:46 -07:00
l3mdev
lapb
llc
mac80211 mac80211: sta_info: Add lockdep condition for RCU list usage 2020-04-24 11:31:20 +02:00
mac802154
mpls net: add net available in build_state 2020-03-29 22:30:57 -07:00
mptcp mptcp: fix race in msk status update 2020-04-25 20:38:54 -07:00
ncsi
netfilter netfilter: nat: never update the UDP checksum when it's 0 2020-04-26 23:57:18 +02:00
netlabel netlabel: Kconfig: Update reference for NetLabel Tools project 2020-04-22 19:55:01 -07:00
netlink Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-03-25 18:58:11 -07:00
netrom net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node 2020-04-18 13:09:46 -07:00
nfc
nsh
openvswitch net: openvswitch: ovs_ct_exit to be done under ovs_lock 2020-04-20 10:53:54 -07:00
packet
phonet
psample
qrtr net: qrtr: send msgs from local of same id as broadcast 2020-04-09 10:08:31 -07:00
rds net/rds: Use ERR_PTR for rds_message_alloc_sgs() 2020-04-15 12:33:29 -07:00
rfkill
rose
rxrpc rxrpc: Fix DATA Tx to disable nofrag for UDP on AF_INET6 socket 2020-04-14 16:26:47 -07:00
sched sched: etf: do not assume all sockets are full blown 2020-04-22 19:20:28 -07:00
sctp sctp: Fix SHUTDOWN CTSN Ack in the peer restart case 2020-04-22 19:27:40 -07:00
smc
strparser
sunrpc svcrdma: Fix leak of svc_rdma_recv_ctxt objects 2020-04-17 12:40:38 -04:00
switchdev
tipc tipc: Fix potential tipc_node refcnt leak in tipc_rcv 2020-04-18 13:24:20 -07:00
tls net/tls: fix const assignment warning 2020-04-08 14:34:02 -07:00
unix
vmw_vsock
wimax
wireless nl80211: fix NL80211_ATTR_FTM_RESPONDER policy 2020-04-14 12:28:48 +02:00
x25 net/x25: Fix x25_neigh refcnt leak when receiving frame 2020-04-23 15:39:39 -07:00
xdp xsk: Add missing check on user supplied headroom size 2020-04-15 13:07:18 +02:00
xfrm Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next 2020-03-30 10:59:20 -07:00
compat.c
Kconfig net: Fix CONFIG_NET_CLS_ACT=n and CONFIG_NFT_FWD_NETDEV={y, m} build 2020-03-25 12:24:33 -07:00
Makefile
socket.c for-5.7/io_uring-2020-03-29 2020-03-30 12:18:49 -07:00
sysctl_net.c