[PATCH] xfrm: iptfs: validate inner IPv4 header length in IPTFS payload

Next message: Dmitry Baryshkov: "Re: [PATCH v9 2/3] of: factor arguments passed to of_map_id() into a struct"
Previous message: Aleksandrs Vinarskis: "Re: [PATCH] iio: st_sensors: fix trigger allocation"
Next in thread: Steffen Klassert: "Re: [PATCH] xfrm: iptfs: validate inner IPv4 header length in IPTFS payload"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Roshan Kumar

Date: Sun Mar 01 2026 - 05:57:42 EST

Add validation of the inner IPv4 packet tot_len and ihl fields parsed
from decrypted IPTFS payloads in __input_process_payload(). A crafted
ESP packet containing an inner IPv4 header with tot_len=0 causes an
infinite loop: iplen=0 leads to capturelen=min(0, remaining)=0, so the
data offset never advances and the while(data < tail) loop never
terminates, spinning forever in softirq context.

Reject inner IPv4 packets where tot_len < ihl*4 or ihl*4 < sizeof(struct
iphdr), which catches both the tot_len=0 case and malformed ihl values.
The normal IP stack performs this validation in ip_rcv_core(), but IPTFS
extracts and processes inner packets before they reach that layer.

Reported-by: Roshan Kumar <roshaen09@xxxxxxxxx>
Fixes: 6c82d2433671 ("xfrm: iptfs: add basic receive packet (tunnel egress) handling")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Roshan Kumar <roshaen09@xxxxxxxxx>
---
net/xfrm/xfrm_iptfs.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/net/xfrm/xfrm_iptfs.c b/net/xfrm/xfrm_iptfs.c
index 050a82101ca5..4cd0747367bd 100644
--- a/net/xfrm/xfrm_iptfs.c
+++ b/net/xfrm/xfrm_iptfs.c
@@ -991,6 +991,11 @@ static bool __input_process_payload(struct xfrm_state *x, u32 data,

iplen = be16_to_cpu(iph->tot_len);
iphlen = iph->ihl << 2;
+ if (iplen < iphlen || iphlen < sizeof(*iph)) {
+ XFRM_INC_STATS(net,
+ LINUX_MIB_XFRMINHDRERROR);
+ goto done;
+ }
protocol = cpu_to_be16(ETH_P_IP);
XFRM_MODE_SKB_CB(skbseq->root_skb)->tos = iph->tos;
} else if (iph->version == 0x6) {
--
2.48.1