Commit 6def5fe
bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb
[ Upstream commit 12bec2b ]
bpf_prog_test_run_skb() calls eth_type_trans() first and then uses
skb->protocol to initialize sk family and address fields for the test
run.
For IPv4 and IPv6 packets, it may access ip_hdr(skb) or ipv6_hdr(skb)
even when the provided test input only contains an Ethernet header.
Reject the input earlier if the Ethernet frame carries IPv4/IPv6
EtherType but the L3 header is too short.
Fold the IPv4/IPv6 header length checks into the existing protocol
switch and return -EINVAL before accessing the network headers.
Fixes: fa5cb54 ("bpf: Setup socket family and addresses in bpf_prog_test_run_skb")
Reported-by: syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
Signed-off-by: Sun Jian <sun.jian.kdev@gmail.com>
Link: https://lore.kernel.org/r/20260408034623.180320-2-sun.jian.kdev@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>1 parent 69f9a63 commit 6def5fe
1 file changed
Lines changed: 12 additions & 8 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1120 | 1120 | | |
1121 | 1121 | | |
1122 | 1122 | | |
1123 | | - | |
1124 | | - | |
1125 | | - | |
1126 | | - | |
| 1123 | + | |
| 1124 | + | |
| 1125 | + | |
1127 | 1126 | | |
| 1127 | + | |
| 1128 | + | |
| 1129 | + | |
1128 | 1130 | | |
1129 | 1131 | | |
1130 | 1132 | | |
1131 | | - | |
1132 | | - | |
1133 | | - | |
1134 | | - | |
| 1133 | + | |
| 1134 | + | |
| 1135 | + | |
1135 | 1136 | | |
| 1137 | + | |
| 1138 | + | |
| 1139 | + | |
1136 | 1140 | | |
1137 | 1141 | | |
1138 | 1142 | | |
| |||
0 commit comments