NULL pointer dereference (memory safety) in netfilter OS fingerprint TTL check

HIGH
torvalds/linux
Commit: 711987ba281f
Affected: All versions prior to and including v7.0-rc6 (i.e., before this patch in nfnetlink_osf.c)
2026-04-25 13:35 UTC

Description

The commit fixes a potential NULL pointer dereference in the OS fingerprint TTL check path (nf_osf_ttl). Previously, the function dereferenced skb->dev to obtain an in_device and iterated local interface addresses via in_dev_for_each_ifa_rcu, which could dereference a NULL or invalid device pointer under certain skb conditions, potentially crashing the kernel. The patch removes the device dereference and the interface loop and replaces the TTL evaluation with a safer switch-based approach that does not rely on skb->dev, thereby mitigating the memory-safety vulnerability in the netfilter OS fingerprint path.

Commit Details

Author: Fernando Fernandez Mancera

Date: 2026-04-17 16:20 UTC

Message:

netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check The nf_osf_ttl() function accessed skb->dev to perform a local interface address lookup without verifying that the device pointer was valid. Additionally, the implementation utilized an in_dev_for_each_ifa_rcu loop to match the packet source address against local interface addresses. It assumed that packets from the same subnet should not see a decrement on the initial TTL. A packet might appear it is from the same subnet but it actually isn't especially in modern environments with containers and virtual switching. Remove the device dereference and interface loop. Replace the logic with a switch statement that evaluates the TTL according to the ttl_check. Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match") Reported-by: Kito Xu (veritas501) <hxzene@gmail.com> Closes: https://lore.kernel.org/netfilter-devel/20260414074556.2512750-1-hxzene@gmail.com/ Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Triage Assessment

Vulnerability Type: Memory safety (NULL pointer dereference)

Confidence: HIGH

Reasoning:

The patch removes an unconditional access to skb->dev and an interface loop that could dereference a NULL or invalid device pointer during TTL checks, replacing with a safer switch-based TTL evaluation. This mitigates a potential NULL pointer dereference / memory-safety issue in the netfilter OS fingerprint path, which could otherwise lead to kernel crashes. The change is explicitly described as fixing a NULL dereference vulnerability in ttl check.

Verification Assessment

Vulnerability Type: NULL pointer dereference (memory safety) in netfilter OS fingerprint TTL check

Confidence: HIGH

Affected Versions: All versions prior to and including v7.0-rc6 (i.e., before this patch in nfnetlink_osf.c)

Code Diff

diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c index 9b209241029be6..acb753ec5697a5 100644 --- a/net/netfilter/nfnetlink_osf.c +++ b/net/netfilter/nfnetlink_osf.c @@ -31,26 +31,18 @@ EXPORT_SYMBOL_GPL(nf_osf_fingers); static inline int nf_osf_ttl(const struct sk_buff *skb, int ttl_check, unsigned char f_ttl) { - struct in_device *in_dev = __in_dev_get_rcu(skb->dev); const struct iphdr *ip = ip_hdr(skb); - const struct in_ifaddr *ifa; - int ret = 0; - if (ttl_check == NF_OSF_TTL_TRUE) + switch (ttl_check) { + case NF_OSF_TTL_TRUE: return ip->ttl == f_ttl; - if (ttl_check == NF_OSF_TTL_NOCHECK) - return 1; - else if (ip->ttl <= f_ttl) + break; + case NF_OSF_TTL_NOCHECK: return 1; - - in_dev_for_each_ifa_rcu(ifa, in_dev) { - if (inet_ifa_match(ip->saddr, ifa)) { - ret = (ip->ttl == f_ttl); - break; - } + case NF_OSF_TTL_LESS: + default: + return ip->ttl <= f_ttl; } - - return ret; } struct nf_osf_hdr_ctx {
← Back to Alerts View on GitHub →