Re: [PATCH net v4 2/2] pppoe: drop PFC frames

Next message: Masami Hiramatsu (Google): "[PATCH v4 0/3] tracing/fprobe: Fix fprobe_ip_table related bugs"
Previous message: Milan Broz: "Re: [PATCH v2 3/3] dm: add documentation for dm-inlinecrypt target"
In reply to: Qingfang Deng: "[PATCH net v4 2/2] pppoe: drop PFC frames"
Next in thread: Simon Horman: "Re: [PATCH net v4 1/2] flow_dissector: do not dissect PPPoE PFC frames"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Simon Horman

Date: Fri Apr 10 2026 - 13:11:46 EST

On Fri, Apr 10, 2026 at 11:36:21AM +0800, Qingfang Deng wrote:
> RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT
> RECOMMENDED for PPPoE. In practice, pppd does not support negotiating
> PFC for PPPoE sessions, and the current PPPoE driver assumes an
> uncompressed (2-byte) protocol field. However, the generic PPP layer
> function ppp_input() is not aware of the negotiation result, and still
> accepts PFC frames.
>
> If a peer with a broken implementation or an attacker sends a frame with
> a compressed (1-byte) protocol field, the subsequent PPP payload is
> shifted by one byte. This causes the network header to be 4-byte
> misaligned, which may trigger unaligned access exceptions on some
> architectures.
>
> To reduce the attack surface, drop PPPoE PFC frames. Introduce
> ppp_skb_is_compressed_proto() helper function to be used in both
> ppp_generic.c and pppoe.c to avoid open-coding.
>
> Fixes: 7fb1b8ca8fa1 ("ppp: Move PFC decompression to PPP generic layer")
> Signed-off-by: Qingfang Deng <qingfang.deng@xxxxxxxxx>
> ---
> Changes in v4:
> Update Fixes tag as suggested by AI review
> Link to v3: https://lore.kernel.org/r/20260409031107.616630-2-qingfang.deng@xxxxxxxxx
> Changes in v3:
> Fix kdoc warning
> Link to v2: https://lore.kernel.org/r/20260408024245.312732-1-qingfang.deng@xxxxxxxxx

Reviewed-by: Simon Horman <horms@xxxxxxxxxx>