git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Qingfang Deng <qingfang.deng@linux.dev>
	Wed, 15 Apr 2026 02:24:51 +0000 (10:24 +0800)
committer	Jakub Kicinski <kuba@kernel.org>
	Mon, 20 Apr 2026 18:35:17 +0000 (11:35 -0700)
commit	cc1ff87bce1ccd38410ab10960f576dcd17db679
tree	6d5bc0dc6df8cd6664041012d4a4740bca42baf0	tree \| snapshot
parent	d6c19b31a3c1d519fabdcf0aa239e6b6109b9473	commit \| diff

pppoe: drop PFC frames

RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT
RECOMMENDED for PPPoE. In practice, pppd does not support negotiating
PFC for PPPoE sessions, and the current PPPoE driver assumes an
uncompressed (2-byte) protocol field. However, the generic PPP layer
function ppp_input() is not aware of the negotiation result, and still
accepts PFC frames.

If a peer with a broken implementation or an attacker sends a frame with
a compressed (1-byte) protocol field, the subsequent PPP payload is
shifted by one byte. This causes the network header to be 4-byte
misaligned, which may trigger unaligned access exceptions on some
architectures.

To reduce the attack surface, drop PPPoE PFC frames. Introduce
ppp_skb_is_compressed_proto() helper function to be used in both
ppp_generic.c and pppoe.c to avoid open-coding.

Fixes: 7fb1b8ca8fa1 ("ppp: Move PFC decompression to PPP generic layer")
Signed-off-by: Qingfang Deng <qingfang.deng@linux.dev>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260415022456.141758-2-qingfang.deng@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

drivers/net/ppp/ppp_generic.c		diff \| blob \| blame \| history
drivers/net/ppp/pppoe.c		diff \| blob \| blame \| history
include/linux/ppp_defs.h		diff \| blob \| blame \| history