Skip to content

Commit d45cf1e

Browse files
edumazetkuba-moo
edumazet
authored and
kuba-moo
committed
ipv6: reject malicious packets in ipv6_gso_segment()
syzbot was able to craft a packet with very long IPv6 extension headers leading to an overflow of skb->transport_header. This 16bit field has a limited range. Add skb_reset_transport_header_careful() helper and use it from ipv6_gso_segment() WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skb_reset_transport_header include/linux/skbuff.h:3032 [inline] WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151 Modules linked in: CPU: 0 UID: 0 PID: 5871 Comm: syz-executor211 Not tainted 6.16.0-rc6-syzkaller-g7abc678e3084 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:skb_reset_transport_header include/linux/skbuff.h:3032 [inline] RIP: 0010:ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151 Call Trace: <TASK> skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53 nsh_gso_segment+0x54a/0xe10 net/nsh/nsh.c:110 skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53 __skb_gso_segment+0x342/0x510 net/core/gso.c:124 skb_gso_segment include/net/gso.h:83 [inline] validate_xmit_skb+0x857/0x11b0 net/core/dev.c:3950 validate_xmit_skb_list+0x84/0x120 net/core/dev.c:4000 sch_direct_xmit+0xd3/0x4b0 net/sched/sch_generic.c:329 __dev_xmit_skb net/core/dev.c:4102 [inline] __dev_queue_xmit+0x17b6/0x3a70 net/core/dev.c:4679 Fixes: d1da932 ("ipv6: Separate ipv6 offload support") Reported-by: syzbot+af43e647fd835acc02df@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/688a1a05.050a0220.5d226.0008.GAE@google.com/T/#u Signed-off-by: Eric Dumazet <edumazet@google.com> Reviewed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com> Reviewed-by: Willem de Bruijn <willemb@google.com> Link: https://patch.msgid.link/20250730131738.3385939-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
1 parent 7cbd497 commit d45cf1e

File tree

2 files changed

+26
-1
lines changed

2 files changed

+26
-1
lines changed

include/linux/skbuff.h

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3033,6 +3033,29 @@ static inline void skb_reset_transport_header(struct sk_buff *skb)
30333033
skb->transport_header = offset;
30343034
}
30353035

3036+
/**
3037+
* skb_reset_transport_header_careful - conditionally reset transport header
3038+
* @skb: buffer to alter
3039+
*
3040+
* Hardened version of skb_reset_transport_header().
3041+
*
3042+
* Returns: true if the operation was a success.
3043+
*/
3044+
static inline bool __must_check
3045+
skb_reset_transport_header_careful(struct sk_buff *skb)
3046+
{
3047+
long offset = skb->data - skb->head;
3048+
3049+
if (unlikely(offset != (typeof(skb->transport_header))offset))
3050+
return false;
3051+
3052+
if (unlikely(offset == (typeof(skb->transport_header))~0U))
3053+
return false;
3054+
3055+
skb->transport_header = offset;
3056+
return true;
3057+
}
3058+
30363059
static inline void skb_set_transport_header(struct sk_buff *skb,
30373060
const int offset)
30383061
{

net/ipv6/ip6_offload.c

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -148,7 +148,9 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
148148

149149
ops = rcu_dereference(inet6_offloads[proto]);
150150
if (likely(ops && ops->callbacks.gso_segment)) {
151-
skb_reset_transport_header(skb);
151+
if (!skb_reset_transport_header_careful(skb))
152+
goto out;
153+
152154
segs = ops->callbacks.gso_segment(skb, features);
153155
if (!segs)
154156
skb->network_header = skb_mac_header(skb) + nhoff - skb->head;

0 commit comments

Comments
 (0)