When TCPMSS with CLAMP_PMTU is used via nft_compat in a non-base chain, par->hook_mask is set to 0, bypassing the checkentry hook validation. The target can then run at PRE_ROUTING where skb_dst is NULL, causing a null-ptr-deref in tcpmss_mangle_packet(): KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] RIP: 0010:tcpmss_mangle_packet (include/net/dst.h:219 net/netfilter/xt_TCPMSS.c:105) tcpmss_tg4 (net/netfilter/xt_TCPMSS.c:202) nft_target_eval_xt (net/netfilter/nft_compat.c:87) nft_do_chain (net/netfilter/nf_tables_core.c:287) nf_hook_slow (net/netfilter/core.c:623) Check skb_dst() for NULL before calling dst_mtu(). Fixes: 493618a92c6a ("netfilter: nft_compat: fix hook validation for non-base chains") Reported-by: Xiang Mei Signed-off-by: Weiming Shi --- net/netfilter/xt_TCPMSS.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c index 116a885adb3c..79b5e475e23e 100644 --- a/net/netfilter/xt_TCPMSS.c +++ b/net/netfilter/xt_TCPMSS.c @@ -102,7 +102,12 @@ tcpmss_mangle_packet(struct sk_buff *skb, if (info->mss == XT_TCPMSS_CLAMP_PMTU) { struct net *net = xt_net(par); unsigned int in_mtu = tcpmss_reverse_mtu(net, skb, family); - unsigned int min_mtu = min(dst_mtu(skb_dst(skb)), in_mtu); + unsigned int min_mtu; + + if (!skb_dst(skb)) + return -1; + + min_mtu = min(dst_mtu(skb_dst(skb)), in_mtu); if (min_mtu <= minlen) { net_err_ratelimited("unknown or invalid path-MTU (%u)\n", -- 2.43.0