Re: [PATCH net v2] seg6: validate SRH length before reading fixed fields
From: Andrea Mayer
Date: Thu Jun 25 2026 - 15:50:20 EST
On Tue, 23 Jun 2026 18:32:31 +0800
Nuoqi Gui <gnq25@xxxxxxxxxxxxxxxxxxxxx> wrote:
> seg6_validate_srh() reads fixed SRH fields such as srh->type and
> srh->hdrlen before checking that the supplied length covers the fixed
> struct ipv6_sr_hdr fields.
>
> The BPF SEG6 encap path reaches this with a BPF program-supplied pointer
> and length: bpf_lwt_push_encap() and the SEG6 local BPF END_B6 and
> END_B6_ENCAP actions call bpf_push_seg6_encap(), which forwards the
> length to seg6_validate_srh() with no minimum-size guard. A 2-byte SEG6
> encap header can therefore make the validator read srh->type at offset 2
> beyond the caller-supplied buffer.
>
> Reject lengths shorter than the fixed SRH at the top of
> seg6_validate_srh(), before any field is read. This fixes the BPF helper
> path and keeps the common validator robust.
>
> Fixes: fe94cc290f53 ("bpf: Add IPv6 Segment Routing helpers")
> Signed-off-by: Nuoqi Gui <gnq25@xxxxxxxxxxxxxxxxxxxxx>
> ---
> Changes in v2:
> - Narrowed the commit message to the BPF encap callers that can supply a
> too-short SRH length.
> - Dropped the unnecessary cast in the minimum SRH length check.
> - Link to v1: https://patch.msgid.link/20260620-f01-17-seg6-srh-len-v1-1-36cbb29c12f1@xxxxxxxxxxxxxxxxxxxxx
>
> To: Andrea Mayer <andrea.mayer@xxxxxxxxxxx>
> To: "David S. Miller" <davem@xxxxxxxxxxxxx>
> To: Eric Dumazet <edumazet@xxxxxxxxxx>
> To: Jakub Kicinski <kuba@xxxxxxxxxx>
> To: Paolo Abeni <pabeni@xxxxxxxxxx>
> To: Simon Horman <horms@xxxxxxxxxx>
> To: Mathieu Xhonneux <m.xhonneux@xxxxxxxxx>
> To: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
> To: David Lebrun <dlebrun@xxxxxxxxxx>
> Cc: netdev@xxxxxxxxxxxxxxx
> Cc: linux-kernel@xxxxxxxxxxxxxxx
> Cc: bpf@xxxxxxxxxxxxxxx
> ---
> net/ipv6/seg6.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c
> index 1c3ad25700c4c..62a7eb7792026 100644
> --- a/net/ipv6/seg6.c
> +++ b/net/ipv6/seg6.c
> @@ -29,6 +29,9 @@ bool seg6_validate_srh(struct ipv6_sr_hdr *srh, int len, bool reduced)
> int max_last_entry;
> int trailing;
>
> + if (len < sizeof(*srh))
> + return false;
> +
Thanks for the patch.
Looks good to me.
Reviewed-by: Andrea Mayer <andrea.mayer@xxxxxxxxxxx>
On a separate note: the AI review message seems correct. The reported
issue is a separate, pre-existing bug in the BPF SEG6 encap path, not
introduced by this patch.
Regards,
Andrea
> if (srh->type != IPV6_SRCRT_TYPE_4)
> return false;
>
>
> ---
> base-commit: 96e7f9122aae0ed000ee321f324b812a447906d9
> change-id: 20260619-f01-17-seg6-srh-len-a85f35427e0b
>
> Best regards,
> --
> Nuoqi Gui <gnq25@xxxxxxxxxxxxxxxxxxxxx>
>