[NETFILTER]: iptable_raw: ignore short packets sent by SOCK_RAW sockets

iptables matches and targets expect packets to have at least a full
IP header and a valid header length. Ignore packets sent through
raw sockets for which this isn't true as in the other tables.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 20 insertions, 1 deletions

diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index f7d28fd748e2..d6e503395684 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -5,6 +5,7 @@
  */
 #include <linux/module.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
+#include <net/ip.h>
 
 #define RAW_VALID_HOOKS ((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_LOCAL_OUT))
 
@@ -54,6 +55,24 @@ ipt_hook(unsigned int hook,
         return ipt_do_table(pskb, hook, in, out, &packet_raw);
 }
 
+static unsigned int
+ipt_local_hook(unsigned int hook,
+               struct sk_buff **pskb,
+               const struct net_device *in,
+               const struct net_device *out,
+               int (*okfn)(struct sk_buff *))
+{
+        /* root is playing with raw sockets. */
+        if ((*pskb)->len < sizeof(struct iphdr) ||
+            ip_hdrlen(*pskb) < sizeof(struct iphdr)) {
+                if (net_ratelimit())
+                        printk("iptable_raw: ignoring short SOCK_RAW"
+                               "packet.\n");
+                return NF_ACCEPT;
+        }
+        return ipt_do_table(pskb, hook, in, out, &packet_raw);
+}
+
 /* 'raw' is the very first table. */
 static struct nf_hook_ops ipt_ops[] = {
         {
@@ -64,7 +83,7 @@ static struct nf_hook_ops ipt_ops[] = {
                 .owner = THIS_MODULE,
         },
         {
-                .hook = ipt_hook,
+                .hook = ipt_local_hook,
                 .pf = PF_INET,
                 .hooknum = NF_IP_LOCAL_OUT,
                 .priority = NF_IP_PRI_RAW,