Commit 1f882c4
bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb
[ Upstream commit 12bec2b ]
bpf_prog_test_run_skb() calls eth_type_trans() first and then uses
skb->protocol to initialize sk family and address fields for the test
run.
For IPv4 and IPv6 packets, it may access ip_hdr(skb) or ipv6_hdr(skb)
even when the provided test input only contains an Ethernet header.
Reject the input earlier if the Ethernet frame carries IPv4/IPv6
EtherType but the L3 header is too short.
Fold the IPv4/IPv6 header length checks into the existing protocol
switch and return -EINVAL before accessing the network headers.
Fixes: fa5cb54 ("bpf: Setup socket family and addresses in bpf_prog_test_run_skb")
Reported-by: syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
Signed-off-by: Sun Jian <sun.jian.kdev@gmail.com>
Link: https://lore.kernel.org/r/20260408034623.180320-2-sun.jian.kdev@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>1 parent d554209 commit 1f882c4
1 file changed
Lines changed: 12 additions & 8 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1061 | 1061 | | |
1062 | 1062 | | |
1063 | 1063 | | |
1064 | | - | |
1065 | | - | |
1066 | | - | |
1067 | | - | |
| 1064 | + | |
| 1065 | + | |
| 1066 | + | |
1068 | 1067 | | |
| 1068 | + | |
| 1069 | + | |
| 1070 | + | |
1069 | 1071 | | |
1070 | 1072 | | |
1071 | 1073 | | |
1072 | | - | |
1073 | | - | |
1074 | | - | |
1075 | | - | |
| 1074 | + | |
| 1075 | + | |
| 1076 | + | |
1076 | 1077 | | |
| 1078 | + | |
| 1079 | + | |
| 1080 | + | |
1077 | 1081 | | |
1078 | 1082 | | |
1079 | 1083 | | |
| |||
0 commit comments