Re: [PATCH 5.10] netfilter: nf_log: validate MAC header was set before dumping it

Next message: Christian Borntraeger: "Re: [PATCH v2] KVM: s390: pci: Fix GISC refcount leak on AIF enable failure"
Previous message: Keshav Verma: "[PATCH v3] rust_binder: reject context manager self-transaction"
In reply to: Greg Kroah-Hartman: "Re: [PATCH 5.10] netfilter: nf_log: validate MAC header was set before dumping it"
Next in thread: Alexander Martyniuk: "[PATCH v2] netfilter: nf_log: validate MAC header was set before dumping it"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sasha Levin

Date: Thu Jun 25 2026 - 06:42:39 EST

> [PATCH 5.10] netfilter: nf_log: validate MAC header was set before
> dumping it
>
> --- a/net/ipv4/netfilter/nf_log_ipv4.c
> +++ b/net/ipv4/netfilter/nf_log_ipv4.c

Thanks for the backport - the retarget to nf_log_ipv4.c is right for 5.10.

One gap though: upstream fixed both loggers via the consolidated
nf_log_syslog.c, but in 5.10 the IPv6 logger (net/ipv6/netfilter/
nf_log_ipv6.c) still has the identical unguarded fallback and is left
vulnerable here - which is also Pablo's "why only 5.10?" point.

--
Thanks,
Sasha