From nobody Tue Nov 18 13:00:36 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1610635853; cv=none; d=zohomail.com; s=zohoarc; b=MkI6pdbWc1045IqXARjdueFptDJuvx9d7gMeJEn0rHg6vLeFOAFA+nCRq4tagVATwNF0njaPZqJDxhb86N86vrw4W4z/gTpYCauqji8gHK0FyQTaC/SMnrseZGrYBB1kA94d8661RVWfZxTnGKCldEd3YQ3RpwQeqU9cMaifDCg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1610635853; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=UeFDUXexOVQ8w+BQTvVSUnpjH22/s6ALR7P0G6tmBzI=; b=FAw51mvSIpb6zgAEi3WsgMpPSx/jbXpnYys7Rbh6WwFHnRlnyA+cB3sBU+R5DzNdYjCP6mfWR3QOtsBJXI+RKRl995wKpEMi21af2Qx0VFQZQYy9qGfYSuhf9gdf1vBcKFhEoJG7EtlnsdvO0xY1mTEYafb2ozPjrrn1YPr8srE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1610635853168396.54030730494037; Thu, 14 Jan 2021 06:50:53 -0800 (PST) Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-233-3DSHknIwNt6vfz-UBI8XTg-1; Thu, 14 Jan 2021 09:50:49 -0500 Received: by mail-wr1-f72.google.com with SMTP id q18so2698324wrc.20 for ; Thu, 14 Jan 2021 06:50:49 -0800 (PST) Return-Path: Return-Path: Received: from x1w.redhat.com (13.red-83-57-169.dynamicip.rima-tde.net. [83.57.169.13]) by smtp.gmail.com with ESMTPSA id g184sm9107175wma.16.2021.01.14.06.50.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Jan 2021 06:50:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1610635852; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UeFDUXexOVQ8w+BQTvVSUnpjH22/s6ALR7P0G6tmBzI=; b=Ri1RVUFcby6V/RSydvVS3yOf03uKpKwdaTMAoB1V75A4ohrTEBt/mBbUWfjMk/MAHaMY8Q NV3EubetARhrNH7S2EkkrQ7FrnOzaorhnrANimPE6i8G7vEWuv8AFZrCKkPyhfiqfXIAsK Q5gfXnGIC8Bn0LYJDs+qxR0yNb8GyW4= X-MC-Unique: 3DSHknIwNt6vfz-UBI8XTg-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=UeFDUXexOVQ8w+BQTvVSUnpjH22/s6ALR7P0G6tmBzI=; b=hlzsQ7xbxGxrEFo5LGN3mqZBNv5NvOjapSOe21YRMVPUd3pBSd+1nt6RF3ZwVI9Xw5 Y2XI6ar82JUrBZ/zW5cj+xWBiONF/EqOTd76vD1Of7xPfpoMM8NXbuGMYGAY9y23aUQA 2SqL/kOFaK2MmBcCZNWWeMiBkoN/91fYDSgYK5EhOVkffERn4ryeNGztqHrQeX2srBpf PkVYpT6Y4ce6yYPLkwh+8dZSxjHjb/vdrdzkEzWLFJeerxQANUACtPtCKGLhWoG71dxx y3NGhOuS4fQYukwxAq3Isa19aHfP79KmaT3fyKHnh9xx77uBEQkI/QfuqEj2X09Pe6Ij L7gQ== X-Gm-Message-State: AOAM532AlNLiFN3i96eemsdPnvHXUGk+r0ev8MTyVkNXV7ffxLdlTtls Tk4o8MPY83jShgI0sLapHFW6j9gARPqsxlzOgdRFtxdmdZAkT0DxK0iLWa3JOd5HDRQnGCQqk4O fE6AG6nnHr3EiUw== X-Received: by 2002:a5d:4987:: with SMTP id r7mr8451051wrq.352.1610635848402; Thu, 14 Jan 2021 06:50:48 -0800 (PST) X-Google-Smtp-Source: ABdhPJwmWa9x4/fLVtEl4B1CA0xkp5ae/xAG8qoD/haDpemkNXH2z14WSPXzdiimwpXw71Vt3zasMw== X-Received: by 2002:a5d:4987:: with SMTP id r7mr8451030wrq.352.1610635848242; Thu, 14 Jan 2021 06:50:48 -0800 (PST) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Miroslav Rezanina , Jason Wang , Dmitry Fleytman , Prasad J Pandit , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Subject: [PATCH 1/2] net/eth: Simplify _eth_get_rss_ex_dst_addr() Date: Thu, 14 Jan 2021 15:50:40 +0100 Message-Id: <20210114145041.2865440-2-philmd@redhat.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20210114145041.2865440-1-philmd@redhat.com> References: <20210114145041.2865440-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) The length field is already contained in the ip6_ext_hdr structure. Check it direcly in eth_parse_ipv6_hdr() before calling _eth_get_rss_ex_dst_addr(), which gets a bit simplified. Signed-off-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Miroslav Rezanina --- net/eth.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/net/eth.c b/net/eth.c index 1e0821c5f81..7d4dd48c1ff 100644 --- a/net/eth.c +++ b/net/eth.c @@ -407,9 +407,7 @@ _eth_get_rss_ex_dst_addr(const struct iovec *pkt, int p= kt_frags, { struct ip6_ext_hdr_routing *rthdr =3D (struct ip6_ext_hdr_routing *) e= xt_hdr; =20 - if ((rthdr->rtype =3D=3D 2) && - (rthdr->len =3D=3D sizeof(struct in6_address) / 8) && - (rthdr->segleft =3D=3D 1)) { + if ((rthdr->rtype =3D=3D 2) && (rthdr->segleft =3D=3D 1)) { =20 size_t input_size =3D iov_size(pkt, pkt_frags); size_t bytes_read; @@ -528,10 +526,12 @@ bool eth_parse_ipv6_hdr(const struct iovec *pkt, int = pkt_frags, } =20 if (curr_ext_hdr_type =3D=3D IP6_ROUTING) { - info->rss_ex_dst_valid =3D - _eth_get_rss_ex_dst_addr(pkt, pkt_frags, - ip6hdr_off + info->full_hdr_len, - &ext_hdr, &info->rss_ex_dst); + if (ext_hdr.ip6r_len =3D=3D sizeof(struct in6_address) / 8) { + info->rss_ex_dst_valid =3D + _eth_get_rss_ex_dst_addr(pkt, pkt_frags, + ip6hdr_off + info->full_hdr_l= en, + &ext_hdr, &info->rss_ex_dst); + } } else if (curr_ext_hdr_type =3D=3D IP6_DESTINATON) { info->rss_ex_src_valid =3D _eth_get_rss_ex_src_addr(pkt, pkt_frags, --=20 2.26.2 From nobody Tue Nov 18 13:00:36 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) client-ip=63.128.21.124; envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1610635859; cv=none; d=zohomail.com; s=zohoarc; b=f1zvJ9ZAMSqTDYBVOI/xUStR695Bu6DKQfFnMfJtg3DnIqgHsU4XjaN9Pr2GUt+f8zM86olGpgG6tqvjfkLps0IkP4u1gTXuoKQCTWArWLj3cYhmmKW1Z34oTt+g3RhnxsKIu40KeoRJPL2US29H9F7iPHkOIm1MVFwgkk87rvU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1610635859; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=L7o9FU/V1ylmu0RK792hqye14hdjauH40rJs0AxTeng=; b=O56cDvsyosMytQ6/3EuDB+AVk7S0KuiZRLoXTT8WqpbFHw3X5MpZ7/H22XbAsAyOHkn5GyEaxVB/urw3UKwhFIpKV4CYhs8QLo9H6Ibc/smbtD2vZB12C2TL/Hx2Gua8038esOsA/hG8qrSxClN/hcQSiRJyH9nyL04BU2oe6wY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=philmd@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.zohomail.com with SMTPS id 1610635859234154.7102096318688; Thu, 14 Jan 2021 06:50:59 -0800 (PST) Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-510-X4ow1IQjM9-jKP1RWtRWmQ-1; Thu, 14 Jan 2021 09:50:55 -0500 Received: by mail-wr1-f72.google.com with SMTP id 88so2687286wrc.17 for ; Thu, 14 Jan 2021 06:50:55 -0800 (PST) Return-Path: Return-Path: Received: from x1w.redhat.com (13.red-83-57-169.dynamicip.rima-tde.net. [83.57.169.13]) by smtp.gmail.com with ESMTPSA id w18sm10109130wrn.2.2021.01.14.06.50.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Jan 2021 06:50:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1610635857; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=L7o9FU/V1ylmu0RK792hqye14hdjauH40rJs0AxTeng=; b=B0wdHv+XQ53JaeIiHeY781XeyTCDm/R43rnLL8N/Xfd4o2jj+H3dC+m4BzdQvoZ+i8R1Qg b1PuQ0iMAp3gChfzTgClepluF9AYh2A7Yk1WYcauD0t3NGBUGc4v+RRBgTVZkjsRzHrRNe +ozud7A1Inb2jeE4Sfl58+J5AdA9TH8= X-MC-Unique: X4ow1IQjM9-jKP1RWtRWmQ-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=L7o9FU/V1ylmu0RK792hqye14hdjauH40rJs0AxTeng=; b=q2PAclZ3fm22SNg4FTCrZPDSBTQSs49kn4wgHpr3gXSa4kV5Qh+4En3Nb0HEixkooA hj09F3FoHAg0BDmPEqQnggY6sB4i3C83jfBBamHWh5DWY/Z5uwdCQbBopinzPBd1EllA O0urQZMOlLPBUEAhD/zzl+hCcZ9oJb7fri3VEf0/RodgGioJZwU10EOpZZlgVl/+kz8u hprL0T31Q2wfyFZutfqieeAR3Olaly1Tmdakt1NeOVWvf9WWNL967FoORGiT0f3e5cQH u7WvuIoFwfq3Ll/dQ+s+eSC6JGzGVxF5x35i6OvqQsJNCQNUQLaH/VbyLOp1YuwztdtY LUeQ== X-Gm-Message-State: AOAM533xYXI5/bDAm7BvcxiZdaz1kGSZHKIGYtdCui3rWceDfU+Mp6TC gOHyXacRGuq3KxmAto0L/QIAV99yP/A7dwm4nBfK7aE/Zr6MOg8SMi816obiE+fUT6nkAYL/fHr CikOYUBEIX7r6aQ== X-Received: by 2002:adf:dc87:: with SMTP id r7mr8360154wrj.305.1610635853915; Thu, 14 Jan 2021 06:50:53 -0800 (PST) X-Google-Smtp-Source: ABdhPJypUMPllvMRPqnbQQWAfsd6n4IqTsWMTI+Hz/ek+iSEVxlkyYjLfU35j4xwk08f18/Nja9AAg== X-Received: by 2002:adf:dc87:: with SMTP id r7mr8360134wrj.305.1610635853692; Thu, 14 Jan 2021 06:50:53 -0800 (PST) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: Miroslav Rezanina , Jason Wang , Dmitry Fleytman , Prasad J Pandit , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , qemu-stable@nongnu.org, Alexander Bulekov Subject: [PATCH 2/2] net/eth: Fix stack-buffer-overflow in _eth_get_rss_ex_dst_addr() Date: Thu, 14 Jan 2021 15:50:41 +0100 Message-Id: <20210114145041.2865440-3-philmd@redhat.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20210114145041.2865440-1-philmd@redhat.com> References: <20210114145041.2865440-1-philmd@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) QEMU fuzzer reported a buffer overflow in _eth_get_rss_ex_dst_addr() reproducible as: $ cat << EOF | ./qemu-system-i386 -M pc-q35-5.0 \ -accel qtest -monitor none \ -serial none -nographic -qtest stdio outl 0xcf8 0x80001010 outl 0xcfc 0xe1020000 outl 0xcf8 0x80001004 outw 0xcfc 0x7 write 0x25 0x1 0x86 write 0x26 0x1 0xdd write 0x4f 0x1 0x2b write 0xe1020030 0x4 0x190002e1 write 0xe102003a 0x2 0x0807 write 0xe1020048 0x4 0x12077cdd write 0xe1020400 0x4 0xba077cdd write 0xe1020420 0x4 0x190002e1 write 0xe1020428 0x4 0x3509d807 write 0xe1020438 0x1 0xe2 EOF =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D2859770=3D=3DERROR: AddressSanitizer: stack-buffer-overflow on addr= ess 0x7ffdef904902 at pc 0x561ceefa78de bp 0x7ffdef904820 sp 0x7ffdef904818 READ of size 1 at 0x7ffdef904902 thread T0 #0 0x561ceefa78dd in _eth_get_rss_ex_dst_addr net/eth.c:410:17 #1 0x561ceefa41fb in eth_parse_ipv6_hdr net/eth.c:532:17 #2 0x561cef7de639 in net_tx_pkt_parse_headers hw/net/net_tx_pkt.c:228= :14 #3 0x561cef7dbef4 in net_tx_pkt_parse hw/net/net_tx_pkt.c:273:9 #4 0x561ceec29f22 in e1000e_process_tx_desc hw/net/e1000e_core.c:730:= 29 #5 0x561ceec28eac in e1000e_start_xmit hw/net/e1000e_core.c:927:9 #6 0x561ceec1baab in e1000e_set_tdt hw/net/e1000e_core.c:2444:9 #7 0x561ceebf300e in e1000e_core_write hw/net/e1000e_core.c:3256:9 #8 0x561cef3cd4cd in e1000e_mmio_write hw/net/e1000e.c:110:5 Address 0x7ffdef904902 is located in stack of thread T0 at offset 34 in f= rame #0 0x561ceefa320f in eth_parse_ipv6_hdr net/eth.c:486 This frame has 1 object(s): [32, 34) 'ext_hdr' (line 487) <=3D=3D Memory access at offset 34 over= flows this variable HINT: this may be a false positive if your program uses some custom stack= unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow net/eth.c:410:17 in _eth= _get_rss_ex_dst_addr Shadow bytes around the buggy address: 0x10003df188d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df188e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df188f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18910: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 =3D>0x10003df18920:[02]f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10003df18970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Stack left redzone: f1 Stack right redzone: f3 =3D=3D2859770=3D=3DABORTING Similarly GCC 11 reports: net/eth.c: In function 'eth_parse_ipv6_hdr': net/eth.c:410:15: error: array subscript 'struct ip6_ext_hdr_routing[0]' = is partly outside array bounds of 'struct ip6_ext_hdr[1]' [-Werror=3Darray-= bounds] 410 | if ((rthdr->rtype =3D=3D 2) && (rthdr->segleft =3D=3D 1)) { | ~~~~~^~~~~~~ net/eth.c:485:24: note: while referencing 'ext_hdr' 485 | struct ip6_ext_hdr ext_hdr; | ^~~~~~~ net/eth.c:410:38: error: array subscript 'struct ip6_ext_hdr_routing[0]' = is partly outside array bounds of 'struct ip6_ext_hdr[1]' [-Werror=3Darray-= bounds] 410 | if ((rthdr->rtype =3D=3D 2) && (rthdr->segleft =3D=3D 1)) { | ~~~~~^~~~~~~~~ net/eth.c:485:24: note: while referencing 'ext_hdr' 485 | struct ip6_ext_hdr ext_hdr; | ^~~~~~~ In eth_parse_ipv6_hdr() we called iov_to_buf() to fill the 2 bytes of the 'ext_hdr' buffer, then _eth_get_rss_ex_dst_addr() tries to access beside the 2 filled bytes. Fix by reworking the function, filling the full rt_hdr buffer on the stack calling iov_to_buf() again. Cc: qemu-stable@nongnu.org Buglink: https://bugs.launchpad.net/qemu/+bug/1879531 Reported-by: Alexander Bulekov Reported-by: Miroslav Rezanina Fixes: eb700029c78 ("net_pkt: Extend packet abstraction as required by e100= 0e functionality") Signed-off-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Miroslav Rezanina --- net/eth.c | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/net/eth.c b/net/eth.c index 7d4dd48c1ff..ae4db37888e 100644 --- a/net/eth.c +++ b/net/eth.c @@ -401,26 +401,23 @@ eth_is_ip6_extension_header_type(uint8_t hdr_type) =20 static bool _eth_get_rss_ex_dst_addr(const struct iovec *pkt, int pkt_frags, - size_t rthdr_offset, + size_t ext_hdr_offset, struct ip6_ext_hdr *ext_hdr, struct in6_address *dst_addr) { - struct ip6_ext_hdr_routing *rthdr =3D (struct ip6_ext_hdr_routing *) e= xt_hdr; + struct ip6_ext_hdr_routing rt_hdr; + size_t input_size =3D iov_size(pkt, pkt_frags); + size_t bytes_read; =20 - if ((rthdr->rtype =3D=3D 2) && (rthdr->segleft =3D=3D 1)) { + if (input_size < ext_hdr_offset + sizeof(rt_hdr)) { + return false; + } =20 - size_t input_size =3D iov_size(pkt, pkt_frags); - size_t bytes_read; + bytes_read =3D iov_to_buf(pkt, pkt_frags, ext_hdr_offset, + &rt_hdr, sizeof(rt_hdr)); =20 - if (input_size < rthdr_offset + sizeof(*ext_hdr)) { - return false; - } - - bytes_read =3D iov_to_buf(pkt, pkt_frags, - rthdr_offset + sizeof(*ext_hdr), - dst_addr, sizeof(*dst_addr)); - - return bytes_read =3D=3D sizeof(*dst_addr); + if ((rt_hdr.rtype =3D=3D 2) && (rt_hdr.segleft =3D=3D 1)) { + return bytes_read =3D=3D sizeof(*ext_hdr) + sizeof(*dst_addr); } =20 return false; --=20 2.26.2