Re: [PATCH] netfilter: nf_conntrack: use get_unaligned_be32() in tcp_sack()
From: Pablo Neira Ayuso
Date: Sun Jun 07 2026 - 05:09:50 EST
On Mon, May 25, 2026 at 02:58:40PM -0700, Rosen Penev wrote:
> The timestamp-only fast path dereferences the option stream as
> *(__be32 *)ptr, which assumes 4-byte alignment that the TCP option
> stream does not guarantee. Use get_unaligned_be32() instead, which
> reads the value safely and already returns host byte order, so the
> htonl() on the comparison constant can be dropped.
>
> This matches the existing get_unaligned_be32() use later in the same
> function.
>
> Assisted-by: Claude:Opus-4.7
> Signed-off-by: Rosen Penev <rosenp@xxxxxxxxx>
> ---
> net/netfilter/nf_conntrack_proto_tcp.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
> index b67426c2189b..8993374c9df2 100644
> --- a/net/netfilter/nf_conntrack_proto_tcp.c
> +++ b/net/netfilter/nf_conntrack_proto_tcp.c
> @@ -405,11 +405,11 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,
> return;
>
> /* Fast path for timestamp-only option */
> - if (length == TCPOLEN_TSTAMP_ALIGNED
> - && *(__be32 *)ptr == htonl((TCPOPT_NOP << 24)
> - | (TCPOPT_NOP << 16)
> - | (TCPOPT_TIMESTAMP << 8)
> - | TCPOLEN_TIMESTAMP))
> + if (length == TCPOLEN_TSTAMP_ALIGNED &&
> + get_unaligned_be32(ptr) == ((TCPOPT_NOP << 24) |
> + (TCPOPT_NOP << 16) |
> + (TCPOPT_TIMESTAMP << 8) |
> + TCPOLEN_TIMESTAMP))
Missing put_unaligned_be32(), BTW.
> return;
>
> while (length > 0) {
> --
> 2.54.0
>