Re: [PATCH net 3/3] vxlan: validate ND option lengths in vxlan_na_create

Next message: Grzegorz Nitka: "[PATCH v4 net-next 1/8] dpll: add new DPLL type for transmit clock (TXC) usage"
Previous message: Gregory Price: "[PATCH] mm/shmem: use invalidate_lock to fix hole-punch race"
In reply to: Yang Yang: "[PATCH net 3/3] vxlan: validate ND option lengths in vxlan_na_create"
Next in thread: Nikolay Aleksandrov: "Re: [PATCH net 3/3] vxlan: validate ND option lengths in vxlan_na_create"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ido Schimmel

Date: Thu Mar 26 2026 - 12:42:52 EST

On Thu, Mar 26, 2026 at 03:44:41AM +0000, Yang Yang wrote:
> vxlan_na_create() walks ND options according to option-provided
> lengths. A malformed option can make the parser advance beyond the
> computed option span or use a too-short source LLADDR option payload.
>
> Validate option lengths against the remaining NS option area before
> advancing, and only read source LLADDR when the option is large enough
> for an Ethernet address.
>
> Fixes: 4b29dba9c085 ("vxlan: fix nonfunctional neigh_reduce()")
> Cc: stable@xxxxxxxxxxxxxxx
> Reported-by: Yifan Wu <yifanwucs@xxxxxxxxx>
> Reported-by: Juefei Pu <tomapufckgml@xxxxxxxxx>
> Tested-by: Ao Zhou <n05ec@xxxxxxxxxx>
> Co-developed-by: Yuan Tan <tanyuan98@xxxxxxxxxxx>
> Signed-off-by: Yuan Tan <tanyuan98@xxxxxxxxxxx>
> Suggested-by: Xin Liu <bird@xxxxxxxxxx>
> Signed-off-by: Yang Yang <n05ec@xxxxxxxxxx>

Reviewed-by: Ido Schimmel <idosch@xxxxxxxxxx>