Re: [PATCH net] seg6: validate SRH length before reading fixed fields
From: Andrea Mayer
Date: Mon Jun 22 2026 - 15:39:51 EST
On Sat, 20 Jun 2026 23:55:51 +0800
Nuoqi Gui <gnq25@xxxxxxxxxxxxxxxxxxxxx> wrote:
Hi Nuoqi,
Thanks for the patch.
> seg6_validate_srh() reads fixed SRH fields such as srh->type and
> srh->hdrlen before checking that the supplied length covers the fixed
> struct ipv6_sr_hdr fields. Callers that pass a length smaller than
> sizeof(struct ipv6_sr_hdr) therefore expose those reads to memory
> outside the validated range.
>
> The BPF SEG6 encap path (bpf_lwt_push_encap() -> bpf_push_seg6_encap())
> is one such caller: it forwards a BPF program-supplied pointer and
> length straight to seg6_validate_srh() with no minimum-size guard, so a
> 2-byte SEG6 encap header lets the validator read srh->type at offset 2
> beyond the caller-supplied buffer.
Besides the BPF use case, is there a caller that can reach it with
len < sizeof(*srh)? The ones I found all pass at least the fixed header.
>
> Reject lengths shorter than the fixed SRH at the top of
> seg6_validate_srh(), before any field is read. This fixes the BPF helper
> path and hardens the common validator for any other caller that reaches it
> with a too-short SRH.
>
> Fixes: fe94cc290f53 ("bpf: Add IPv6 Segment Routing helpers")
> Signed-off-by: Nuoqi Gui <gnq25@xxxxxxxxxxxxxxxxxxxxx>
> ---
> net/ipv6/seg6.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c
> index 1c3ad25700c4c..d2cb32a1058af 100644
> --- a/net/ipv6/seg6.c
> +++ b/net/ipv6/seg6.c
> @@ -29,6 +29,9 @@ bool seg6_validate_srh(struct ipv6_sr_hdr *srh, int len, bool reduced)
> int max_last_entry;
> int trailing;
>
> + if (len < (int)sizeof(*srh))
> + return false;
> +
The (int) cast only changes the result when len < 0, which is not a meaningful
byte length. Plain "len < sizeof(*srh)" would be enough.
> if (srh->type != IPV6_SRCRT_TYPE_4)
> return false;
>
>
> ---
> base-commit: 96e7f9122aae0ed000ee321f324b812a447906d9
> change-id: 20260619-f01-17-seg6-srh-len-a85f35427e0b
>
> Best regards,
> --
> Nuoqi Gui <gnq25@xxxxxxxxxxxxxxxxxxxxx>
>
Regards,
Andrea