git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Yang Yang <n05ec@lzu.edu.cn>
	Thu, 26 Mar 2026 03:44:39 +0000 (03:44 +0000)
committer	Jakub Kicinski <kuba@kernel.org>
	Sat, 28 Mar 2026 03:37:14 +0000 (20:37 -0700)
commit	a01aee7cafc575bb82f5529e8734e7052f9b16ea
tree	98258da08922622c19c69a04fe167d70c6a8af1f	tree \| snapshot
parent	c11c731a684e5e4e377e7e22f9fc2f29ce1478c7	commit \| diff

bridge: br_nd_send: linearize skb before parsing ND options

br_nd_send() parses neighbour discovery options from ns->opt[] and
assumes that these options are in the linear part of request.

Its callers only guarantee that the ICMPv6 header and target address
are available, so the option area can still be non-linear. Parsing
ns->opt[] in that case can access data past the linear buffer.

Linearize request before option parsing and derive ns from the linear
network header.

Fixes: ed842faeb2bd ("bridge: suppress nd pkts on BR_NEIGH_SUPPRESS ports")
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Tested-by: Ao Zhou <n05ec@lzu.edu.cn>
Co-developed-by: Yuan Tan <tanyuan98@outlook.com>
Signed-off-by: Yuan Tan <tanyuan98@outlook.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Yang Yang <n05ec@lzu.edu.cn>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://patch.msgid.link/20260326034441.2037420-2-n05ec@lzu.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>