git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Roshan Kumar <roshaen09@gmail.com>
	Sun, 1 Mar 2026 10:56:38 +0000 (10:56 +0000)
committer	Steffen Klassert <steffen.klassert@secunet.com>
	Mon, 2 Mar 2026 07:53:00 +0000 (08:53 +0100)
commit	0d10393d5eac33cbd92f7a41fddca12c41d3cb7e
tree	13af98896eda5289c4c43825ad5147e52928a63b	tree \| snapshot
parent	0c0eef8ccd2413b0a10eb6bbd3442333b1e64dd2	commit \| diff

xfrm: iptfs: validate inner IPv4 header length in IPTFS payload

Add validation of the inner IPv4 packet tot_len and ihl fields parsed
from decrypted IPTFS payloads in __input_process_payload(). A crafted
ESP packet containing an inner IPv4 header with tot_len=0 causes an
infinite loop: iplen=0 leads to capturelen=min(0, remaining)=0, so the
data offset never advances and the while(data < tail) loop never
terminates, spinning forever in softirq context.

Reject inner IPv4 packets where tot_len < ihl*4 or ihl*4 < sizeof(struct
iphdr), which catches both the tot_len=0 case and malformed ihl values.
The normal IP stack performs this validation in ip_rcv_core(), but IPTFS
extracts and processes inner packets before they reach that layer.

Reported-by: Roshan Kumar <roshaen09@gmail.com>
Fixes: 6c82d2433671 ("xfrm: iptfs: add basic receive packet (tunnel egress) handling")
Cc: stable@vger.kernel.org
Signed-off-by: Roshan Kumar <roshaen09@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>