[PATCHv4,net-next,02/10] bridge: use skb_ip_totlen in br netfilter

Commit Message

Xin Long Jan. 28, 2023, 3:58 p.m. UTC

These 3 places in bridge netfilter are called on RX path after GRO
and IPv4 TCP GSO packets may come through, so replace iph tot_len
accessing with skb_ip_totlen() in there.

Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
 net/bridge/br_netfilter_hooks.c            | 2 +-
 net/bridge/netfilter/nf_conntrack_bridge.c | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

Comments

Nikolay Aleksandrov Jan. 31, 2023, 3:01 p.m. UTC | #1

On 28/01/2023 17:58, Xin Long wrote:
> These 3 places in bridge netfilter are called on RX path after GRO
> and IPv4 TCP GSO packets may come through, so replace iph tot_len
> accessing with skb_ip_totlen() in there.
> 
> Signed-off-by: Xin Long <lucien.xin@gmail.com>
> ---
>  net/bridge/br_netfilter_hooks.c            | 2 +-
>  net/bridge/netfilter/nf_conntrack_bridge.c | 4 ++--
>  2 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
> index f20f4373ff40..b67c9c98effa 100644
> --- a/net/bridge/br_netfilter_hooks.c
> +++ b/net/bridge/br_netfilter_hooks.c
> @@ -214,7 +214,7 @@ static int br_validate_ipv4(struct net *net, struct sk_buff *skb)
>  	if (unlikely(ip_fast_csum((u8 *)iph, iph->ihl)))
>  		goto csum_error;
>  
> -	len = ntohs(iph->tot_len);
> +	len = skb_ip_totlen(skb);
>  	if (skb->len < len) {
>  		__IP_INC_STATS(net, IPSTATS_MIB_INTRUNCATEDPKTS);
>  		goto drop;
> diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c
> index 5c5dd437f1c2..71056ee84773 100644
> --- a/net/bridge/netfilter/nf_conntrack_bridge.c
> +++ b/net/bridge/netfilter/nf_conntrack_bridge.c
> @@ -212,7 +212,7 @@ static int nf_ct_br_ip_check(const struct sk_buff *skb)
>  	    iph->version != 4)
>  		return -1;
>  
> -	len = ntohs(iph->tot_len);
> +	len = skb_ip_totlen(skb);
>  	if (skb->len < nhoff + len ||
>  	    len < (iph->ihl * 4))
>                  return -1;
> @@ -256,7 +256,7 @@ static unsigned int nf_ct_bridge_pre(void *priv, struct sk_buff *skb,
>  		if (!pskb_may_pull(skb, sizeof(struct iphdr)))
>  			return NF_ACCEPT;
>  
> -		len = ntohs(ip_hdr(skb)->tot_len);
> +		len = skb_ip_totlen(skb);
>  		if (pskb_trim_rcsum(skb, len))
>  			return NF_ACCEPT;
>  

Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>

Patch

diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index f20f4373ff40..b67c9c98effa 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -214,7 +214,7 @@  static int br_validate_ipv4(struct net *net, struct sk_buff *skb)
 	if (unlikely(ip_fast_csum((u8 *)iph, iph->ihl)))
 		goto csum_error;
 
-	len = ntohs(iph->tot_len);
+	len = skb_ip_totlen(skb);
 	if (skb->len < len) {
 		__IP_INC_STATS(net, IPSTATS_MIB_INTRUNCATEDPKTS);
 		goto drop;
diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c
index 5c5dd437f1c2..71056ee84773 100644
--- a/net/bridge/netfilter/nf_conntrack_bridge.c
+++ b/net/bridge/netfilter/nf_conntrack_bridge.c
@@ -212,7 +212,7 @@  static int nf_ct_br_ip_check(const struct sk_buff *skb)
 	    iph->version != 4)
 		return -1;
 
-	len = ntohs(iph->tot_len);
+	len = skb_ip_totlen(skb);
 	if (skb->len < nhoff + len ||
 	    len < (iph->ihl * 4))
                 return -1;
@@ -256,7 +256,7 @@  static unsigned int nf_ct_bridge_pre(void *priv, struct sk_buff *skb,
 		if (!pskb_may_pull(skb, sizeof(struct iphdr)))
 			return NF_ACCEPT;
 
-		len = ntohs(ip_hdr(skb)->tot_len);
+		len = skb_ip_totlen(skb);
 		if (pskb_trim_rcsum(skb, len))
 			return NF_ACCEPT;