Re: [PATCH net] atm: br2684: reject short VC-MUX bridged frames

Next message: Jonathan Cameron: "Re: [PATCH 2/3] dt-bindings: iio: st,st-sensors: add st,fullscale-mg"
Previous message: Jori Koolstra: "Re: [RFC PATCH v6 3/9] vfs: prepare vfs_creat|mkdir_no_perm for reuse in lookup_open()"
In reply to: Yizhou Zhao: "[PATCH net] atm: br2684: reject short VC-MUX bridged frames"
Next in thread: Yizhou Zhao: "Re: [PATCH net] atm: br2684: reject short VC-MUX bridged frames"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andrew Lunn

Date: Sun Jun 14 2026 - 14:39:34 EST

On Sun, Jun 14, 2026 at 11:27:45PM +0800, Yizhou Zhao wrote:
> br2684_push() validates the two-byte pad at the start of received
> VC-MUX bridged frames with memcmp(), but does not first make sure that
> those two bytes are present in the skb.
>
> A short AAL5 PDU can reach this path after a BR2684 VCC is attached with
> BR2684_ENCAPS_VC and bridged payload. If skb->len is 0 or 1, the pad
> comparison reads beyond the valid skb data. When the bytes beyond
> skb->len compare as zero, the code then continues toward eth_type_trans()
> with the malformed frame.
>
> Reject frames shorter than BR2684_PAD_LEN before checking the pad. This
> keeps the existing validation for valid VC-MUX bridged frames, which must
> carry the two-byte pad before the Ethernet header.
>
> Fixes: 7e903c2ae36e ("atm: [br2864] fix routed vcmux support")
> Cc: stable@xxxxxxxxxxxxxxx
> Reported-by: Yizhou Zhao <zhaoyz24@xxxxxxxxxxxxxxxxxxxxx>
> Reported-by: Yuxiang Yang <yangyx22@xxxxxxxxxxxxxxxxxxxxx>
> Reported-by: Ao Wang <wangao@xxxxxxxxxx>
> Reported-by: Xuewei Feng <fengxw06@xxxxxxx>
> Reported-by: Qi Li <qli01@xxxxxxxxxxxxxxx>
> Reported-by: Ke Xu <xuke@xxxxxxxxxxxxxxx>
> Assisted-by: GLM:GLM-5.1

Same questions as for the previous patch. Lots of parallel
discoveries? What hardware was used, etc.

Andrew