net/netfilter/nf_synproxy_core.c | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-)
synproxy_tstamp_adjust() reads and writes the TSval and TSecr fields of
the TCP Timestamp option via direct __be32 pointer dereferences. These
fields are at byte offsets 2 and 6 within the option, which are only
2-byte aligned — not 4-byte aligned for __be32 access.
Replace with get_unaligned_be32() / put_unaligned_be32() to safely
handle the unaligned access on strict-alignment architectures.
Assisted-by: opencode:big-pickle
Signed-off-by: Rosen Penev <rosenp@gmail.com>
---
net/netfilter/nf_synproxy_core.c | 26 +++++++++++++++-----------
1 file changed, 15 insertions(+), 11 deletions(-)
diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
index ed00114f65f3..0a038b9b5169 100644
--- a/net/netfilter/nf_synproxy_core.c
+++ b/net/netfilter/nf_synproxy_core.c
@@ -191,7 +191,7 @@ synproxy_tstamp_adjust(struct sk_buff *skb, unsigned int protoff,
const struct nf_conn_synproxy *synproxy)
{
unsigned int optoff, optend;
- __be32 *ptr, old;
+ __be32 old;
if (synproxy->tsoff == 0)
return 1;
@@ -221,18 +221,22 @@ synproxy_tstamp_adjust(struct sk_buff *skb, unsigned int protoff,
if (op[0] == TCPOPT_TIMESTAMP &&
op[1] == TCPOLEN_TIMESTAMP) {
if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) {
- ptr = (__be32 *)&op[2];
- old = *ptr;
- *ptr = htonl(ntohl(*ptr) -
- synproxy->tsoff);
+ u32 tsval = get_unaligned_be32(&op[2]);
+ u32 new_tsval = tsval - synproxy->tsoff;
+
+ old = cpu_to_be32(tsval);
+ put_unaligned_be32(new_tsval, &op[2]);
+ inet_proto_csum_replace4(&th->check, skb,
+ old, cpu_to_be32(new_tsval), false);
} else {
- ptr = (__be32 *)&op[6];
- old = *ptr;
- *ptr = htonl(ntohl(*ptr) +
- synproxy->tsoff);
+ u32 tsecr = get_unaligned_be32(&op[6]);
+ u32 new_tsecr = tsecr + synproxy->tsoff;
+
+ old = cpu_to_be32(tsecr);
+ put_unaligned_be32(new_tsecr, &op[6]);
+ inet_proto_csum_replace4(&th->check, skb,
+ old, cpu_to_be32(new_tsecr), false);
}
- inet_proto_csum_replace4(&th->check, skb,
- old, *ptr, false);
return 1;
}
optoff += op[1];
--
2.54.0
On 6/7/26 6:44 PM, Rosen Penev wrote: > synproxy_tstamp_adjust() reads and writes the TSval and TSecr fields of > the TCP Timestamp option via direct __be32 pointer dereferences. These > fields are at byte offsets 2 and 6 within the option, which are only > 2-byte aligned — not 4-byte aligned for __be32 access. > > Replace with get_unaligned_be32() / put_unaligned_be32() to safely > handle the unaligned access on strict-alignment architectures. > > Assisted-by: opencode:big-pickle > Signed-off-by: Rosen Penev <rosenp@gmail.com> Hi, as mentioned on [1] this was already fixed in [2].. [1] https://lore.kernel.org/netdev/a8cfeb06-6ffb-49f2-a14d-c5a50bc4e5be@suse.de/ [2] https://lore.kernel.org/netfilter-devel/20260525124450.6043-4-fmancera@suse.de/ Thanks, Fernando.
On Sun, Jun 7, 2026 at 2:27 PM Fernando Fernandez Mancera <fmancera@suse.de> wrote: > > On 6/7/26 6:44 PM, Rosen Penev wrote: > > synproxy_tstamp_adjust() reads and writes the TSval and TSecr fields of > > the TCP Timestamp option via direct __be32 pointer dereferences. These > > fields are at byte offsets 2 and 6 within the option, which are only > > 2-byte aligned — not 4-byte aligned for __be32 access. > > > > Replace with get_unaligned_be32() / put_unaligned_be32() to safely > > handle the unaligned access on strict-alignment architectures. > > > > Assisted-by: opencode:big-pickle > > Signed-off-by: Rosen Penev <rosenp@gmail.com> > Hi, > > as mentioned on [1] this was already fixed in [2].. OK. > > [1] > https://lore.kernel.org/netdev/a8cfeb06-6ffb-49f2-a14d-c5a50bc4e5be@suse.de/ > > [2] > https://lore.kernel.org/netfilter-devel/20260525124450.6043-4-fmancera@suse.de/ > > Thanks, > Fernando.
© 2016 - 2026 Red Hat, Inc.