[SRU][J/F/B][PATCH] Fix CVE-2022-2663 (netfilter: nf_conntrack_irc: Fix forged IP logic)
John Cabaj
john.cabaj at canonical.com
Tue Oct 18 19:41:46 UTC 2022
[Impact]
* nf_conntrac_irc can incorrectly match messages and can allow firewall bypass. Impacts Jammy, Focal, and Bionic.
[Fix]
* Fixing netfilter IP logic so destination is based off proper direction, in this case referencing NAT host. Also detect port 0 as forged.
[Test Plan]
* Compile and boot test.
[Where problems could occur]
* Erroneous usage of dcc_port 0 for anything other than a signal flag.
David Leadbeater (1):
netfilter: nf_conntrack_irc: Fix forged IP logic
net/netfilter/nf_conntrack_irc.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--
2.34.1
More information about the kernel-team
mailing list