diff options
| author | Jakub Kicinski <kuba@kernel.org> | 2026-01-30 05:25:24 +0300 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2026-01-30 05:25:25 +0300 |
| commit | de5720f91b0b64c603f14da3c6298cba4febeb01 (patch) | |
| tree | 0167d5eced3453c9c6d1aa977f3f1c50e7eb1100 /include/linux | |
| parent | 37d312bf957b95346fae2b3f82ce043474ea66c9 (diff) | |
| parent | cabd1a976375780dabab888784e356f574bbaed8 (diff) | |
| download | linux-de5720f91b0b64c603f14da3c6298cba4febeb01.tar.xz | |
Merge branch 'net-fix-potential-crash-in-net-sched-cls_u32-c'
Eric Dumazet says:
====================
net: fix potential crash in net/sched/cls_u32.c
GangMin Kim provided a report and a repro fooling u32_classify().
Add skb_header_pointer_careful() variant of skb_header_pointer()
and use it in net/sched/cls_u32.c.
Later we can also use it in net/sched/act_pedit.c
====================
Link: https://patch.msgid.link/20260128141539.3404400-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'include/linux')
| -rw-r--r-- | include/linux/skbuff.h | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index 86737076101d..112e48970338 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -4301,6 +4301,18 @@ skb_header_pointer(const struct sk_buff *skb, int offset, int len, void *buffer) skb_headlen(skb), buffer); } +/* Variant of skb_header_pointer() where @offset is user-controlled + * and potentially negative. + */ +static inline void * __must_check +skb_header_pointer_careful(const struct sk_buff *skb, int offset, + int len, void *buffer) +{ + if (unlikely(offset < 0 && -offset > skb_headroom(skb))) + return NULL; + return skb_header_pointer(skb, offset, len, buffer); +} + static inline void * __must_check skb_pointer_if_linear(const struct sk_buff *skb, int offset, int len) { |