Re: [PATCH bpf-next v3] bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb

Next message: Jacob Pan: "[PATCH V3 10/10] Documentation: Update VFIO NOIOMMU mode"
Previous message: Jacob Pan: "[PATCH V3 09/10] selftests/vfio: Add iommufd noiommu mode selftest for cdev"
In reply to: Sun Jian: "[PATCH bpf-next v3] bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: bot+bpf-ci

Date: Fri Apr 03 2026 - 01:16:41 EST

> diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
> index 4cd6b3ea1815a..2bc04feadfabe 100644
> --- a/net/bpf/test_run.c
> +++ b/net/bpf/test_run.c
> @@ -1137,19 +1137,23 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
>
> switch (skb->protocol) {
> case htons(ETH_P_IP):
> - sk->sk_family = AF_INET;
> - if (sizeof(struct iphdr) <= skb_headlen(skb)) {
> - sk->sk_rcv_saddr = ip_hdr(skb)->saddr;
> - sk->sk_daddr = ip_hdr(skb)->daddr;
> + if (skb_headlen(skb) < sizeof(struct iphdr)) {
> + ret = -EINVAL;
> + goto out;
> }
> + sk->sk_family = AF_INET;
> + sk->sk_rcv_saddr = ip_hdr(skb)->saddr;
> + sk->sk_daddr = ip_hdr(skb)->daddr;
> break;

[ ... ]

This fixes a bug that has existed since fa5cb548ced6 ("bpf: Setup
socket family and addresses in bpf_prog_test_run_skb") which
introduced the sk_family assignment and ip_hdr()/ipv6_hdr() access
without rejecting packets too short to contain L3 headers.

Should this carry a Fixes: tag? Something like:

Fixes: fa5cb548ced6 ("bpf: Setup socket family and addresses in bpf_prog_test_run_skb")

This was also raised in the v2 review thread:
https://lore.kernel.org/bpf/20260329161751.1914272-1-sun.jian.kdev@xxxxxxxxx/

---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/23910290394