Re: [PATCH net v3] ipv6: validate extension header length before copying to cmsg

Next message: Dan Williams (nvidia): "Re: [RFC v3 00/27] lib: Rust implementation of SPDM"
Previous message: Kuniyuki Iwashima: "Re: [RFC PATCH 1/2] net: af_unix: Useful handling of LSM denials on SCM_RIGHTS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Qi Tang

Date: Fri May 01 2026 - 21:25:26 EST

On Tue, Apr 28, 2026, Paolo Abeni <pabeni@xxxxxxxxxx> wrote:
> > +static u16 ipv6_get_exthdr_len(const struct sk_buff *skb, const u8 *ptr)
> > +{
> > + u16 len = (ptr[1] + 1) << 3;
>
> Sashiko notes that you should validate even this offset (1) before
> accessing it.

Good catch. I will add a "ptr + 2 > skb_tail_pointer(skb)" check
before reading ptr[1], in both the helper and the inline AH path.

> You may also consider switching to pskb_may_pull().

I considered this but would prefer to keep skb_tail_pointer().
Two reasons:

1. ipv6_parse_hopopts() / dst_opts_rcv() / ipv6_rthdr_rcv() already
pskb_may_pull() the full extension header during input parsing,
so by the time ip6_datagram_recv_specific_ctl() runs the headers
are guaranteed to be in the linear area; another pskb_may_pull()
would be a no-op.

2. When pskb_may_pull() does have work to do, __pskb_pull_tail() can
call pskb_expand_head() and reallocate skb->head, which would
invalidate the caller's `ptr` (computed as nh + offset).

WDYT? Happy to switch if I'm missing something.

Thanks,
Qi