net: ife: require ETH_HLEN to be pullable in ife_decode()

ife decode may return after making only the outer IFE header and
metadata pullable. The caller then passes the decapsulated packet to
eth_type_trans(), which expects the inner Ethernet header to be
accessible from the linear data area.

With a malformed IFE frame, the inner Ethernet header may still be
shorter than ETH_HLEN in the linear area, which can lead to a crash in
the original code.

Fix this by extending the pull check in ife_decode() so that the inner
Ethernet header is also guaranteed to be pullable before returning.

Fixes: ef6980b6becb ("introduce IFE action")
Cc: stable@vger.kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Yong Wang <edragain@163.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Link: https://patch.msgid.link/20260610183814.1648888-2-n05ec@lzu.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/ife/ife.c b/net/ife/ife.c
index be05b690b9ef29b3541e45af02f86f53b4b9681a..7a75947a31e310f7b37c47ccf739b6dcd974b178 100644 (file)
--- a/net/ife/ife.c
+++ b/net/ife/ife.c
@@ -79,7 +79,7 @@ void *ife_decode(struct sk_buff *skb, u16 *metalen)
        if (unlikely(ifehdrln < 2))
                return NULL;
 
-       if (unlikely(!pskb_may_pull(skb, total_pull)))
+       if (unlikely(!pskb_may_pull(skb, total_pull + ETH_HLEN)))
                return NULL;
 
        ifehdr = (struct ifeheadr *)(skb->data + skb->dev->hard_header_len);