]> git.ipfire.org Git - thirdparty/kernel/linux.git/commit
projects / thirdparty / kernel / linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 4eb82ba) | patch
ipv4: icmp: reject broadcast/multicast routes
authorEric Dumazet <edumazet@google.com>
Tue, 19 May 2026 20:08:36 +0000 (20:08 +0000)
committerJakub Kicinski <kuba@kernel.org>
Thu, 21 May 2026 02:00:02 +0000 (19:00 -0700)
commit7eb72c1e3984150c45f77aa4299f7c2598a68e9b
treebdfc6f0acdeb41fc773fff242abbf29fd21be6f1tree | snapshot
parent4eb82ba543421e9e38cc14e4e82058b78850df50commit | diff
ipv4: icmp: reject broadcast/multicast routes

syzbot was able to trigger ip_rt_bug() in a loop, using an IPv4 packet
with a crafted IPOPT_SSRR option:

  options: ipv4_options {
    options: array[ipv4_option] {
      union ipv4_option {
        ssrr: ipv4_option_route[IPOPT_SSRR] {
         type: const = 0x89 (1 bytes)
         length: len = 0x7 (1 bytes)
         pointer: int8 = 0xa2 (1 bytes)
         data: array[ipv4_addr] {
           union ipv4_addr {
             broadcast: const = 0xffffffff (4 bytes)
           }
         }
       }
     }

Change __icmp_send() to not send ICMP to broadcast/multicast destinations.

Fixes: c378a9c019cf ("ipv4: Give backtrace in ip_rt_bug().")
Reported-by: syzbot+c13a57c2639c2c0d03a6@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6a0cc169.170a0220.1f6c2d.0004.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20260519200836.4141061-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
net/ipv4/icmp.c diff | blob | blame | history
A mirror of Linus' kernel repository