[NETFILTER]: iptable_raw: ignore short packets sent by SOCK_RAW sockets

iptables matches and targets expect packets to have at least a full
IP header and a valid header length. Ignore packets sent through
raw sockets for which this isn't true as in the other tables.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index f7d28fd..d6e5033 100644 (file)
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -5,6 +5,7 @@
  */
 #include <linux/module.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
+#include <net/ip.h>
 
 #define RAW_VALID_HOOKS ((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT))
 
@@ -54,6 +55,24 @@ ipt_hook(unsigned int hook,
        return ipt_do_table(pskb, hook, in, out, &packet_raw);
 }
 
+static unsigned int
+ipt_local_hook(unsigned int hook,
+              struct sk_buff **pskb,
+              const struct net_device *in,
+              const struct net_device *out,
+              int (*okfn)(struct sk_buff *))
+{
+       /* root is playing with raw sockets. */
+       if ((*pskb)->len < sizeof(struct iphdr) ||
+           ip_hdrlen(*pskb) < sizeof(struct iphdr)) {
+               if (net_ratelimit())
+                       printk("iptable_raw: ignoring short SOCK_RAW"
+                              "packet.\n");
+               return NF_ACCEPT;
+       }
+       return ipt_do_table(pskb, hook, in, out, &packet_raw);
+}
+
 /* 'raw' is the very first table. */
 static struct nf_hook_ops ipt_ops[] = {
        {
@@ -64,7 +83,7 @@ static struct nf_hook_ops ipt_ops[] = {
                .owner = THIS_MODULE,
        },
        {
-               .hook = ipt_hook,
+               .hook = ipt_local_hook,
                .pf = PF_INET,
                .hooknum = NF_IP_LOCAL_OUT,
                .priority = NF_IP_PRI_RAW,