netfilter: nat: fix udp checksum corruption [Linux 5.2]

netfilter: nat: fix udp checksum corruption [Linux 5.2]

This Linux kernel change "netfilter: nat: fix udp checksum corruption" is included in the Linux 5.2 release. This change is authored by Florian Westphal <fw [at] strlen.de> on Mon May 20 13:48:10 2019 +0200. The commit for this change in Linux stable tree is 6bac76d (patch).

netfilter: nat: fix udp checksum corruption

Due to copy&paste error nf_nat_mangle_udp_packet passes IPPROTO_TCP,
resulting in incorrect udp checksum when payload had to be mangled.

Fixes: dac3fe72596f9 ("netfilter: nat: remove csum_recalc hook")
Reported-by: Marc Haber <[email protected]>
Tested-by: Marc Haber <[email protected]>
Signed-off-by: Florian Westphal <[email protected]>
Signed-off-by: Pablo Neira Ayuso <[email protected]>

There are 2 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 net/netfilter/nf_nat_helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nf_nat_helper.c b/net/netfilter/nf_nat_helper.c
index ccc06f7..53aeb12 100644
--- a/net/netfilter/nf_nat_helper.c
+++ b/net/netfilter/nf_nat_helper.c
@@ -170,7 +170,7 @@ bool __nf_nat_mangle_tcp_packet(struct sk_buff *skb,
    if (!udph->check && skb->ip_summed != CHECKSUM_PARTIAL)
        return true;

-   nf_nat_csum_recalc(skb, nf_ct_l3num(ct), IPPROTO_TCP,
+   nf_nat_csum_recalc(skb, nf_ct_l3num(ct), IPPROTO_UDP,
               udph, &udph->check, datalen, oldlen);

    return true;

Leave a Reply

Your email address will not be published. Required fields are marked *