Re: [PATCH net v5] ipv6: validate extension header length before copying to cmsg

Next message: Andrew Morton: "Re: [PATCH v5] mm/alloc_tag: replace fixed-size early PFN array with dynamic linked list"
Previous message: Sean Christopherson: "Re: [PATCH v3 06/16] KVM: selftests: Add IRQ injection test"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: patchwork-bot+netdevbpf

Date: Tue May 26 2026 - 22:00:04 EST

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@xxxxxxxxxx>:

On Sat, 23 May 2026 22:32:45 +0800 you wrote:
> ip6_datagram_recv_specific_ctl() builds IPV6_{HOPOPTS,DSTOPTS,RTHDR}
> cmsgs (and their IPV6_2292* legacy counterparts) by trusting the
> on-wire hdrlen byte (ptr[1]) when computing the put_cmsg() length.
> The length was validated only at parse time (ipv6_parse_hopopts(),
> etc.). An nftables payload-write expression can rewrite hdrlen after
> parsing and before the skb reaches recvmsg; the write itself is
> in-bounds but put_cmsg() then reads up to ((hdrlen+1) << 3) = 2040
> bytes from an 8-byte header. nftables is reachable from an
> unprivileged user namespace, so this is an unprivileged
> slab-out-of-bounds read:
>
> [...]

Here is the summary with links:
- [net,v5] ipv6: validate extension header length before copying to cmsg
https://git.kernel.org/netdev/net/c/dd433671fef3

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html