Re: Re: [PATCH net] seg6: validate SRH length before reading fixed fields

[Nuoqi Gui]

> -----Original Messages-----
> From: "Andrea Mayer" <andrea.mayer@xxxxxxxxxxx>
> Send time:Tuesday, 23/06/2026 03:33:17
> To: "Nuoqi Gui" <gnq25@xxxxxxxxxxxxxxxxxxxxx>
> Cc: "David S. Miller" <davem@xxxxxxxxxxxxx>, "Eric Dumazet" <edumazet@xxxxxxxxxx>, "Jakub Kicinski" <kuba@xxxxxxxxxx>, "Paolo Abeni" <pabeni@xxxxxxxxxx>, "Simon Horman" <horms@xxxxxxxxxx>, netdev@xxxxxxxxxxxxxxx, bpf@xxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, stefano.salsano@xxxxxxxxxxx, "Andrea Mayer" <andrea.mayer@xxxxxxxxxxx>
> Subject: Re: [PATCH net] seg6: validate SRH length before reading fixed fields
> 
> On Sat, 20 Jun 2026 23:55:51 +0800
> Nuoqi Gui <gnq25@xxxxxxxxxxxxxxxxxxxxx> wrote:
> 
> Hi Nuoqi,
> Thanks for the patch.
> 
> > seg6_validate_srh() reads fixed SRH fields such as srh->type and
> > srh->hdrlen before checking that the supplied length covers the fixed
> > struct ipv6_sr_hdr fields.  Callers that pass a length smaller than
> > sizeof(struct ipv6_sr_hdr) therefore expose those reads to memory
> > outside the validated range.
> >
> > The BPF SEG6 encap path (bpf_lwt_push_encap() -> bpf_push_seg6_encap())
> > is one such caller: it forwards a BPF program-supplied pointer and
> > length straight to seg6_validate_srh() with no minimum-size guard, so a
> > 2-byte SEG6 encap header lets the validator read srh->type at offset 2
> > beyond the caller-supplied buffer.
> 
> Besides the BPF use case, is there a caller that can reach it with
> len < sizeof(*srh)? The ones I found all pass at least the fixed header.
> 
No, I don't see another current caller that can reach seg6_validate_srh() 
with len < sizeof(*srh). I'll narrow the commit message accordingly.

> >
> > Reject lengths shorter than the fixed SRH at the top of
> > seg6_validate_srh(), before any field is read.  This fixes the BPF helper
> > path and hardens the common validator for any other caller that reaches it
> > with a too-short SRH.
> >
> > Fixes: fe94cc290f53 ("bpf: Add IPv6 Segment Routing helpers")
> > Signed-off-by: Nuoqi Gui <gnq25@xxxxxxxxxxxxxxxxxxxxx>
> > ---
> >  net/ipv6/seg6.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c
> > index 1c3ad25700c4c..d2cb32a1058af 100644
> > --- a/net/ipv6/seg6.c
> > +++ b/net/ipv6/seg6.c
> > @@ -29,6 +29,9 @@ bool seg6_validate_srh(struct ipv6_sr_hdr *srh, int len, bool reduced)
> >       int max_last_entry;
> >       int trailing;
> >
> > +     if (len < (int)sizeof(*srh))
> > +             return false;
> > +
> 
> The (int) cast only changes the result when len < 0, which is not a meaningful
> byte length. Plain "len < sizeof(*srh)" would be enough.
> 
I'll use plain len < sizeof(*srh).

> >       if (srh->type != IPV6_SRCRT_TYPE_4)
> >               return false;
> >
> >
> > ---
> > base-commit: 96e7f9122aae0ed000ee321f324b812a447906d9
> > change-id: 20260619-f01-17-seg6-srh-len-a85f35427e0b
> >
> > Best regards,
> > --
> > Nuoqi Gui <gnq25@xxxxxxxxxxxxxxxxxxxxx>
> >
> 
> Regards,
> Andrea