netfilter: nf_queue: do not allow packet truncation below transport header offset

[ Upstream commit 99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164 ]

Domingo Dirutigliano and Nicola Guerrera report kernel panic when
sending nf_queue verdict with 1-byte nfta_payload attribute.

The IP/IPv6 stack pulls the IP(v6) header from the packet after the
input hook.

If user truncates the packet below the header size, this skb_pull() will
result in a malformed skb (skb->len < 0).

RELEASE_NOTE=Fixed CVE-2022-36946 in the Linux kernel.

Fixes: 7af4cc3fa158 ("[NETFILTER]: Add "nfnetlink_queue" netfilter queue handler over nfnetlink")
Reported-by: Domingo Dirutigliano <>
Signed-off-by: Florian Westphal <>
Reviewed-by: Pablo Neira Ayuso <>
Signed-off-by: Sasha Levin <>

cos-patch: security-high
Change-Id: I55fc69adfdcfccb5dab8a2abce66dcea767c595e
Tested-by: Cusky Presubmit Bot <>
Reviewed-by: Vaibhav Rustagi <>
1 file changed