net: hsr: require valid EOT supervision TLV

Supervision frames are only valid if terminated with a zero-length EOT
TLV. The current check fails to reject non-EOT entries as the terminal
TLV, potentially allowing malformed supervision traffic.

Fix this by strictly requiring the terminal TLV to be HSR_TLV_EOT with
a length of zero.

Signed-off-by: Luka Gejak <luka.gejak@linux.dev>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Link: https://patch.msgid.link/20260523130420.62144-1-luka.gejak@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
index 0aca859c88cbb6a9b60a1131381ee9df7d4cfa36..5752887c2884b3b34915100eb92044dea952ef63 100644 (file)
--- a/net/hsr/hsr_forward.c
+++ b/net/hsr/hsr_forward.c
@@ -110,7 +110,7 @@ static bool is_supervision_frame(struct hsr_priv *hsr, struct sk_buff *skb)
        }
 
        /* end of tlvs must follow at the end */
-       if (hsr_sup_tlv->HSR_TLV_type == HSR_TLV_EOT &&
+       if (hsr_sup_tlv->HSR_TLV_type != HSR_TLV_EOT ||
            hsr_sup_tlv->HSR_TLV_length != 0)
                return false;