Re: [PATCH] xfrm: iptfs: validate inner IPv4 header length in IPTFS payload

Next message: Harry Yoo: "Re: [PATCH slab/for-next-fixes] mm/slab: allow sheaf refill if blocking is not allowed"
Previous message: Rodrigo Alencar: "Re: [PATCH v8 02/10] lib: kstrtox: add kstrntoull() helper"
In reply to: Roshan Kumar: "[PATCH] xfrm: iptfs: validate inner IPv4 header length in IPTFS payload"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Steffen Klassert

Date: Wed Mar 04 2026 - 05:04:51 EST

On Sun, Mar 01, 2026 at 10:56:38AM +0000, Roshan Kumar wrote:
> Add validation of the inner IPv4 packet tot_len and ihl fields parsed
> from decrypted IPTFS payloads in __input_process_payload(). A crafted
> ESP packet containing an inner IPv4 header with tot_len=0 causes an
> infinite loop: iplen=0 leads to capturelen=min(0, remaining)=0, so the
> data offset never advances and the while(data < tail) loop never
> terminates, spinning forever in softirq context.
>
> Reject inner IPv4 packets where tot_len < ihl*4 or ihl*4 < sizeof(struct
> iphdr), which catches both the tot_len=0 case and malformed ihl values.
> The normal IP stack performs this validation in ip_rcv_core(), but IPTFS
> extracts and processes inner packets before they reach that layer.
>
> Reported-by: Roshan Kumar <roshaen09@xxxxxxxxx>
> Fixes: 6c82d2433671 ("xfrm: iptfs: add basic receive packet (tunnel egress) handling")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Roshan Kumar <roshaen09@xxxxxxxxx>

Applied to the ipsec tree, thanks a lot!