Re: [PATCH net] fddi: validate skb length before parsing headers

Next message: Vladimir Oltean: "[PATCH v5 phy-next 01/16] phy: lynx-28g: avoid returning NULL in of_xlate() function"
Previous message: Nguyen Minh Tien: "[PATCH 0/2] iio: adc: Add Texas Instruments ADS1220 ADC"
In reply to: Simon Horman: "Re: [PATCH net] fddi: validate skb length before parsing headers"
Next in thread: patchwork-bot+netdevbpf: "Re: [PATCH net] fddi: validate skb length before parsing headers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jakub Kicinski

Date: Wed Jun 10 2026 - 11:22:41 EST

On Sun, 7 Jun 2026 19:24:04 +0800 Yizhou Zhao wrote:
> KASAN reports this when such a frame is processed through a dummy FDDI
> netdev that calls the real fddi_type_trans() on an exact kmalloc() copy
> of the frame:
>
> BUG: KASAN: slab-out-of-bounds in fddi_type_trans+0x385/0x3a0
> Read of size 2 at addr ffff888009c6fe33
> The buggy address is located 4 bytes to the right of
> allocated 15-byte region [ffff888009c6fe20, ffff888009c6fe2f)
>
> Reject short frames before reading the fields: require the minimum 802.2
> header length before accessing dsap or daddr, and require the full SNAP
> header length before reading the SNAP ethertype. Returning protocol 0
> causes the malformed packet to be ignored by protocol handlers.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@xxxxxxxxxxxxxxx

I'm stripping these, the problem seems entirely theoretical.
"I invented a fake driver and it makes the stack crash" is not serious.