net: hsr: fix potential OOB access in supervision frame handling

Ensure the entire TLV header is linearized before access by adding
sizeof(struct hsr_sup_tlv) to the pskb_may_pull() calls. Without this,
a truncated frame could cause an out-of-bounds access.

Fixes: eafaa88b3eb7 ("net: hsr: Add support for redbox supervision frames")
Signed-off-by: Luka Gejak <luka.gejak@linux.dev>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Link: https://patch.msgid.link/20260523130330.61880-1-luka.gejak@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
index 0aca859c88cbb6a9b60a1131381ee9df7d4cfa36..f669a226d728540de7386f2245a3025dde44ff3b 100644 (file)
--- a/net/hsr/hsr_forward.c
+++ b/net/hsr/hsr_forward.c
@@ -84,7 +84,7 @@ static bool is_supervision_frame(struct hsr_priv *hsr, struct sk_buff *skb)
 
        /* Get next tlv */
        total_length += hsr_sup_tag->tlv.HSR_TLV_length;
-       if (!pskb_may_pull(skb, total_length))
+       if (!pskb_may_pull(skb, total_length + sizeof(struct hsr_sup_tlv)))
                return false;
        skb_pull(skb, total_length);
        hsr_sup_tlv = (struct hsr_sup_tlv *)skb->data;
@@ -100,7 +100,7 @@ static bool is_supervision_frame(struct hsr_priv *hsr, struct sk_buff *skb)
 
                /* make sure another tlv follows */
                total_length += sizeof(struct hsr_sup_tlv) + hsr_sup_tlv->HSR_TLV_length;
-               if (!pskb_may_pull(skb, total_length))
+               if (!pskb_may_pull(skb, total_length + sizeof(struct hsr_sup_tlv)))
                        return false;
 
                /* get next tlv */