Re: [PATCH net v2] amt: don't read the IP source address from a reallocated skb header

Next message: David Woodhouse: "[PATCH v7 5/7] timekeeping: Drive time_adjust skew via per-tick ntp_error transfer"
Previous message: Sara Sena: "[PATCH] uapi/asm-generic/fcntl.h: fix typos in Open File Description Locks comment"
In reply to: Michael Bommarito: "[PATCH net v2] amt: don't read the IP source address from a reallocated skb header"
Next in thread: Taehee Yoo: "Re: [PATCH net v2] amt: don't read the IP source address from a reallocated skb header"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jakub Kicinski

Date: Sun Jun 21 2026 - 18:00:17 EST

On Wed, 17 Jun 2026 08:34:43 -0400 Michael Bommarito wrote:
> amt_update_handler() caches iph = ip_hdr(skb) and then calls
> pskb_may_pull(). pskb_may_pull() can reallocate the skb head: the new
> head is allocated and the old one is freed. The cached iph is not
> refreshed, so the following tunnel lookup reads iph->saddr from the
> freed head. On an AMT relay this lookup runs for every incoming
> membership update, before the update's nonce and response MAC are
> validated.
>
> The sibling handlers amt_multicast_data_handler() and
> amt_membership_query_handler() re-read ip_hdr() after the pull and are
> not affected; only amt_update_handler() keeps the pre-pull pointer.

Sashikos point out a bunch more of these in AMT:
https://sashiko.dev/#/patchset/20260617123443.3586930-1-michael.bommarito@xxxxxxxxx
https://netdev-ai.bots.linux.dev/sashiko/#/patchset/20260617123443.3586930-1-michael.bommarito@xxxxxxxxx

Let's fix them all with one patch?
--
pw-bot: cr