Re: [PATCH net v2] psp: strip variable-length PSP header in psp_dev_rcv()

Next message: Leo Yan: "Re: [PATCH v6 00/13] fix several inconsistencies with sysfs configuration in etmX"
Previous message: Sumit Garg: "Re: [PATCH v4 04/15] firmware: qcom: Add a PAS TEE service"
In reply to: David Carlier: "[PATCH net v2] psp: strip variable-length PSP header in psp_dev_rcv()"
Next in thread: Daniel Zahka: "Re: [PATCH net v2] psp: strip variable-length PSP header in psp_dev_rcv()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Willem de Bruijn

Date: Fri May 01 2026 - 09:55:43 EST

David Carlier wrote:
> psp_dev_rcv() unconditionally removes a fixed PSP_ENCAP_HLEN, even
> when psph->hdrlen indicates that the PSP header carries optional
> fields. A frame whose PSP header advertises a non-zero VC or any
> extension would therefore be silently mis-decapsulated: option bytes
> would spill into the inner packet head and downstream parsing would
> fail on a corrupted skb.
>
> Compute the full PSP header length from psph->hdrlen, pull the
> optional bytes into the linear region, and strip the whole header
> when decapsulating. Optional fields (VC, ...) are still ignored,
> just discarded with the rest of the header instead of leaking.
> crypt_offset and the VIRT flag are intentionally not validated here
> - callers know their device's PSP implementation and can decide.
>
> Both in-tree callers gate on hardware-validated PSP, so this is a
> correctness fix rather than a reachable corruption path under
> current configurations.
>
> Fixes: 0eddb8023cee ("psp: provide decapsulation and receive helper for drivers")
> Suggested-by: Daniel Zahka <daniel.zahka@xxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: David Carlier <devnexen@xxxxxxxxx>

Reviewed-by: Willem de Bruijn <willemb@xxxxxxxxxx>