git.ipfire.org Git - thirdparty/linux.git/commit

author	Eric Dumazet <edumazet@google.com>
	Fri, 22 May 2026 11:55:12 +0000 (11:55 +0000)
committer	Jakub Kicinski <kuba@kernel.org>
	Wed, 27 May 2026 01:11:47 +0000 (18:11 -0700)
commit	509323077ef79a26ba0c60bb556e45c12c398b2d
tree	ac3694890fbdf6e9dec6ada642aa6c4223a00f5f	tree \| snapshot
parent	7d9ef0cb271555d8cf39fefe6c981e1493b25ecf	commit \| diff

tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()

In some cases, iptunnel_pmtud_check_icmp() can be called while
skb transport header is not set.

This triggers an out-of-bound access, because
(typeof(skb->transport_header))~0U is 65535.

Access the icmp header based on IPv4 network header,
after making sure icmp->type is present in skb linear part.

Note that iptunnel_pmtud_check_icmpv6()) is fine.

Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")
Reported-by: Damiano Melotti <melotti@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260522115512.1519110-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>