ipv6: validate extension header length before copying to cmsg

author Qi Tang <tpluszz77@gmail.com>

Sat, 23 May 2026 14:32:45 +0000 (22:32 +0800)

committer Jakub Kicinski <kuba@kernel.org>

Wed, 27 May 2026 01:53:10 +0000 (18:53 -0700)
author Qi Tang <tpluszz77@gmail.com>
Sat, 23 May 2026 14:32:45 +0000 (22:32 +0800)
committer Jakub Kicinski <kuba@kernel.org>
Wed, 27 May 2026 01:53:10 +0000 (18:53 -0700)
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c

index ca3605acb4330e1fa5e3c7d96565fecd2bf69d62..38d7b48452817439094c8257e44ddb9e3e9e374a 100644 (file)
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -617,6 +617,18 @@ void ip6_datagram_recv_common_ctl(struct sock *sk, struct msghdr *msg,
         }
  }
  
+static u16 ipv6_get_exthdr_len(const struct sk_buff *skb, const u8 *ptr)
+{
+       u16 len;
+
+       if (ptr + 2 > skb_tail_pointer(skb))
+               return 0;
+
+       len = (ptr[1] + 1) << 3;
+
+       return (len <= skb_tail_pointer(skb) - ptr) ? len : 0;
+}
+
  void ip6_datagram_recv_specific_ctl(struct sock *sk, struct msghdr *msg,
                                     struct sk_buff *skb)
  {
@@ -643,7 +655,10 @@ void ip6_datagram_recv_specific_ctl(struct sock *sk, struct msghdr *msg,
         /* HbH is allowed only once */
         if (np->rxopt.bits.hopopts && (opt->flags & IP6SKB_HOPBYHOP)) {
                 u8 *ptr = nh + sizeof(struct ipv6hdr);
-               put_cmsg(msg, SOL_IPV6, IPV6_HOPOPTS, (ptr[1]+1)<<3, ptr);
+               u16 len = ipv6_get_exthdr_len(skb, ptr);
+
+               if (len)
+                       put_cmsg(msg, SOL_IPV6, IPV6_HOPOPTS, len, ptr);
         }
  
         if (opt->lastopt &&
@@ -664,26 +679,37 @@ void ip6_datagram_recv_specific_ctl(struct sock *sk, struct msghdr *msg,
                         unsigned int len;
                         u8 *ptr = nh + off;
  
+                       if (ptr + 2 > skb_tail_pointer(skb))
+                               return;
+
                         switch (nexthdr) {
                         case IPPROTO_DSTOPTS:
                                 nexthdr = ptr[0];
-                               len = (ptr[1] + 1) << 3;
+                               len = ipv6_get_exthdr_len(skb, ptr);
+                               if (!len)
+                                       return;
                                 if (np->rxopt.bits.dstopts)
                                         put_cmsg(msg, SOL_IPV6, IPV6_DSTOPTS, len, ptr);
                                 break;
                         case IPPROTO_ROUTING:
                                 nexthdr = ptr[0];
-                               len = (ptr[1] + 1) << 3;
+                               len = ipv6_get_exthdr_len(skb, ptr);
+                               if (!len)
+                                       return;
                                 if (np->rxopt.bits.srcrt)
                                         put_cmsg(msg, SOL_IPV6, IPV6_RTHDR, len, ptr);
                                 break;
                         case IPPROTO_AH:
                                 nexthdr = ptr[0];
                                 len = (ptr[1] + 2) << 2;
+                               if (ptr + len > skb_tail_pointer(skb))
+                                       return;
                                 break;
                         default:
                                 nexthdr = ptr[0];
-                               len = (ptr[1] + 1) << 3;
+                               len = ipv6_get_exthdr_len(skb, ptr);
+                               if (!len)
+                                       return;
                                 break;
                         }
  
@@ -705,19 +731,31 @@ void ip6_datagram_recv_specific_ctl(struct sock *sk, struct msghdr *msg,
         }
         if (np->rxopt.bits.ohopopts && (opt->flags & IP6SKB_HOPBYHOP)) {
                 u8 *ptr = nh + sizeof(struct ipv6hdr);
-               put_cmsg(msg, SOL_IPV6, IPV6_2292HOPOPTS, (ptr[1]+1)<<3, ptr);
+               u16 len = ipv6_get_exthdr_len(skb, ptr);
+
+               if (len)
+                       put_cmsg(msg, SOL_IPV6, IPV6_2292HOPOPTS, len, ptr);
         }
         if (np->rxopt.bits.odstopts && opt->dst0) {
                 u8 *ptr = nh + opt->dst0;
-               put_cmsg(msg, SOL_IPV6, IPV6_2292DSTOPTS, (ptr[1]+1)<<3, ptr);
+               u16 len = ipv6_get_exthdr_len(skb, ptr);
+
+               if (len)
+                       put_cmsg(msg, SOL_IPV6, IPV6_2292DSTOPTS, len, ptr);
         }
         if (np->rxopt.bits.osrcrt && opt->srcrt) {
                 struct ipv6_rt_hdr *rthdr = (struct ipv6_rt_hdr *)(nh + opt->srcrt);
-               put_cmsg(msg, SOL_IPV6, IPV6_2292RTHDR, (rthdr->hdrlen+1) << 3, rthdr);
+               u16 len = ipv6_get_exthdr_len(skb, (u8 *)rthdr);
+
+               if (len)
+                       put_cmsg(msg, SOL_IPV6, IPV6_2292RTHDR, len, rthdr);
         }
         if (np->rxopt.bits.odstopts && opt->dst1) {
                 u8 *ptr = nh + opt->dst1;
-               put_cmsg(msg, SOL_IPV6, IPV6_2292DSTOPTS, (ptr[1]+1)<<3, ptr);
+               u16 len = ipv6_get_exthdr_len(skb, ptr);
+
+               if (len)
+                       put_cmsg(msg, SOL_IPV6, IPV6_2292DSTOPTS, len, ptr);
         }
         if (np->rxopt.bits.rxorigdstaddr) {
                 struct sockaddr_in6 sin6;
author	Qi Tang <tpluszz77@gmail.com>
	Sat, 23 May 2026 14:32:45 +0000 (22:32 +0800)
committer	Jakub Kicinski <kuba@kernel.org>
	Wed, 27 May 2026 01:53:10 +0000 (18:53 -0700)