Re: [PATCH net 0/2] ipv4: harden against ihl < 5 IP_HDRINCL packets

Next message: Brian Masney: "Re: [PATCH] clk: add missing function short descriptions for kernel-doc"
Previous message: T.J. Mercier: "Re: [PATCH] HID: playstation: Clamp num_touch_reports"
In reply to: Pablo Neira Ayuso: "Re: [PATCH net 0/2] ipv4: harden against ihl &lt; 5 IP_HDRINCL packets"
Next in thread: Herbert Xu: "Re: [PATCH net 0/2] ipv4: harden against ihl &lt; 5 IP_HDRINCL packets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Michael Bommarito

Date: Tue May 12 2026 - 19:06:14 EST

On Tue, May 12, 2026 at 6:34 PM Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> There are possibly more ways to mangle ihl in the kernel in 2026, not
> only NFQUEUE and nft_payload.

Yes, and there's a peer issue in BEET IHL wrap I fixed in 017ccd82092e too.

In addition to a few other nft_* paths, my understanding is that tc,
NFQUEUE in userspace, eBPF, OVS, etc. will all be a problem unless we
guard in the IP stack itself. But then if there are legitimate uses
of this path, we might cause regressions for people with complex rule
sets. That's why Herbert suggested we should bring the issue here to
get feedback from the list broadly.

> Your patches LGTM, are you suggesting more patches?

I think the answer is yes either way, but either A) a smaller patch
set in IP that I can handle if we go that route or B) distributed
across people who know each of their systems better if we handle in
each subsystem.

Thanks,
Mike Bommarito