Commit 8042240
bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb
[ Upstream commit 12bec2b ]
bpf_prog_test_run_skb() calls eth_type_trans() first and then uses
skb->protocol to initialize sk family and address fields for the test
run.
For IPv4 and IPv6 packets, it may access ip_hdr(skb) or ipv6_hdr(skb)
even when the provided test input only contains an Ethernet header.
Reject the input earlier if the Ethernet frame carries IPv4/IPv6
EtherType but the L3 header is too short.
Fold the IPv4/IPv6 header length checks into the existing protocol
switch and return -EINVAL before accessing the network headers.
Fixes: fa5cb54 ("bpf: Setup socket family and addresses in bpf_prog_test_run_skb")
Reported-by: syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=619b9ef527f510a57cfc
Signed-off-by: Sun Jian <sun.jian.kdev@gmail.com>
Link: https://lore.kernel.org/r/20260408034623.180320-2-sun.jian.kdev@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>1 parent afdc851 commit 8042240
1 file changed
Lines changed: 12 additions & 8 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1057 | 1057 | | |
1058 | 1058 | | |
1059 | 1059 | | |
1060 | | - | |
1061 | | - | |
1062 | | - | |
1063 | | - | |
| 1060 | + | |
| 1061 | + | |
| 1062 | + | |
1064 | 1063 | | |
| 1064 | + | |
| 1065 | + | |
| 1066 | + | |
1065 | 1067 | | |
1066 | 1068 | | |
1067 | 1069 | | |
1068 | | - | |
1069 | | - | |
1070 | | - | |
1071 | | - | |
| 1070 | + | |
| 1071 | + | |
| 1072 | + | |
1072 | 1073 | | |
| 1074 | + | |
| 1075 | + | |
| 1076 | + | |
1073 | 1077 | | |
1074 | 1078 | | |
1075 | 1079 | | |
| |||
0 commit comments