[PATCH v4 4/5] net/sched: netem: handle multi-segment skb in corruption

Next message: Frederick Mayle: "Re: [PATCH 1/1] mm/readahead: simplify page_cache_ra_unbounded loop counter reset"
Previous message: Stephen Hemminger: "[PATCH v4 2/5] net/sched: netem: remove useless VERSION"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Stephen Hemminger

Date: Thu May 07 2026 - 22:03:28 EST

The packet corruption code only flipped bits in the linear
header portion of the skb, skipping corruption when
skb_headlen() was zero.

Linearize the whole skb if necessary before corruption.
Extends d64cb81dcbd5 ("net/sched: sch_netem: fix out-of-bounds access
in packet corruption") with a more general solution.

Signed-off-by: Stephen Hemminger <stephen@xxxxxxxxxxxxxxxxxx>
---
net/sched/sch_netem.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 53bdfa77ee2d..37df05bf43ee 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -513,16 +513,17 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch,
qdisc_qstats_drop(sch);
goto finish_segs;
}
- if (skb->ip_summed == CHECKSUM_PARTIAL &&
- skb_checksum_help(skb)) {
+ if (skb_linearize(skb) ||
+ (skb->ip_summed == CHECKSUM_PARTIAL && skb_checksum_help(skb))) {
qdisc_drop(skb, sch, to_free);
skb = NULL;
goto finish_segs;
}

- if (skb_headlen(skb))
- skb->data[get_random_u32_below(skb_headlen(skb))] ^=
- 1 << get_random_u32_below(8);
+ if (skb->len) {
+ u32 offset = get_random_u32_below(skb->len);
+ skb->data[offset] ^= 1 << get_random_u32_below(8);
+ }
}

if (unlikely(sch->q.qlen >= sch->limit)) {
--
2.53.0