]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
seg6: validate SRH length before reading fixed fields
authorNuoqi Gui <gnq25@mails.tsinghua.edu.cn>
Tue, 23 Jun 2026 10:32:31 +0000 (18:32 +0800)
committerJakub Kicinski <kuba@kernel.org>
Sat, 27 Jun 2026 01:49:37 +0000 (18:49 -0700)
seg6_validate_srh() reads fixed SRH fields such as srh->type and
srh->hdrlen before checking that the supplied length covers the fixed
struct ipv6_sr_hdr fields.

The BPF SEG6 encap path reaches this with a BPF program-supplied pointer
and length: bpf_lwt_push_encap() and the SEG6 local BPF END_B6 and
END_B6_ENCAP actions call bpf_push_seg6_encap(), which forwards the
length to seg6_validate_srh() with no minimum-size guard.  A 2-byte SEG6
encap header can therefore make the validator read srh->type at offset 2
beyond the caller-supplied buffer.

Reject lengths shorter than the fixed SRH at the top of
seg6_validate_srh(), before any field is read.  This fixes the BPF helper
path and keeps the common validator robust.

Fixes: fe94cc290f53 ("bpf: Add IPv6 Segment Routing helpers")
Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
Reviewed-by: Andrea Mayer <andrea.mayer@uniroma2.it>
Link: https://patch.msgid.link/20260623-f01-17-seg6-srh-len-v2-1-2edc40e9e3e1@mails.tsinghua.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
net/ipv6/seg6.c

index 1c3ad25700c4c7321afbae5327e06c3aada6ef9d..62a7eb77920265b59be417bcd38611cf26e5c88f 100644 (file)
@@ -29,6 +29,9 @@ bool seg6_validate_srh(struct ipv6_sr_hdr *srh, int len, bool reduced)
        int max_last_entry;
        int trailing;
 
+       if (len < sizeof(*srh))
+               return false;
+
        if (srh->type != IPV6_SRCRT_TYPE_4)
                return false;