git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Yang Yang <n05ec@lzu.edu.cn>
	Thu, 26 Mar 2026 03:44:41 +0000 (03:44 +0000)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sat, 11 Apr 2026 12:29:54 +0000 (14:29 +0200)
commit	b69c4236255bd8de16cd876e58c6f0867d1d78b1
tree	fd740780aec73ae946677c33b645e5c643e6d7fb	tree \| snapshot
parent	429d05565eb19ee545d8a8395991372adbe4daf3	commit \| diff

vxlan: validate ND option lengths in vxlan_na_create

commit afa9a05e6c4971bd5586f1b304e14d61fb3d9385 upstream.

vxlan_na_create() walks ND options according to option-provided
lengths. A malformed option can make the parser advance beyond the
computed option span or use a too-short source LLADDR option payload.

Validate option lengths against the remaining NS option area before
advancing, and only read source LLADDR when the option is large enough
for an Ethernet address.

Fixes: 4b29dba9c085 ("vxlan: fix nonfunctional neigh_reduce()")
Cc: stable@vger.kernel.org
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Tested-by: Ao Zhou <n05ec@lzu.edu.cn>
Co-developed-by: Yuan Tan <tanyuan98@outlook.com>
Signed-off-by: Yuan Tan <tanyuan98@outlook.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Yang Yang <n05ec@lzu.edu.cn>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://patch.msgid.link/20260326034441.2037420-4-n05ec@lzu.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>