1. Patchew
  2. linux
  3. View series

[PATCH] ipv6: ndisc: fix potential out-of-bounds read in ndisc_router_discovery()

Rafal Bilkowski posted 1 patch 8 months, 1 week ago 
net/ipv6/ndisc.c | 4 ++++
1 file changed, 4 insertions(+)
[PATCH] ipv6: ndisc: fix potential out-of-bounds read in ndisc_router_discovery()
Posted by Rafal Bilkowski 8 months, 1 week ago 
This patch adds a length check at the start of ndisc_router_discovery()
to prevent a potential out-of-bounds read if a short packet is received.
Without this check, the function may dereference memory outside the
buffer.

Fixes: 8610c7c6e3bd ("net: ipv6: add support for rpl sr exthdr")
Signed-off-by: Rafal Bilkowski <rafalbilkowski@gmail.com>
---
 net/ipv6/ndisc.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 8d853971f2f6..bdaac5a195d6 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1235,6 +1235,10 @@ static void ndisc_ra_useropt(struct sk_buff *ra, struct nd_opt_hdr *opt)
 
 static enum skb_drop_reason ndisc_router_discovery(struct sk_buff *skb)
 {
+	// Check if the buffer contains enough data for the struct ra_msg
+	if (!pskb_may_pull(skb, skb_transport_offset(skb) + sizeof(struct ra_msg)))
+		return SKB_DROP_REASON_PKT_TOO_SMALL;
+
 	struct ra_msg *ra_msg = (struct ra_msg *)skb_transport_header(skb);
 	bool send_ifinfo_notify = false;
 	struct neighbour *neigh = NULL;
-- 
2.43.0
Re: [PATCH] ipv6: ndisc: fix potential out-of-bounds read in ndisc_router_discovery()
Posted by Kuniyuki Iwashima 8 months, 1 week ago 
From: Rafal Bilkowski <rafalbilkowski@gmail.com>
Date: Mon,  2 Jun 2025 08:58:26 +0200
> This patch adds a length check at the start of ndisc_router_discovery()

I think it already has the check.

---8<---
        optlen = (skb_tail_pointer(skb) - skb_transport_header(skb)) -
                sizeof(struct ra_msg);
...
        if (optlen < 0)
                return SKB_DROP_REASON_PKT_TOO_SMALL;
---8<---


> to prevent a potential out-of-bounds read if a short packet is received.
> Without this check, the function may dereference memory outside the
> buffer.

Do you have a KMSAM splat ?


> 
> Fixes: 8610c7c6e3bd ("net: ipv6: add support for rpl sr exthdr")
> Signed-off-by: Rafal Bilkowski <rafalbilkowski@gmail.com>
> ---
>  net/ipv6/ndisc.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
> index 8d853971f2f6..bdaac5a195d6 100644
> --- a/net/ipv6/ndisc.c
> +++ b/net/ipv6/ndisc.c
> @@ -1235,6 +1235,10 @@ static void ndisc_ra_useropt(struct sk_buff *ra, struct nd_opt_hdr *opt)
>  
>  static enum skb_drop_reason ndisc_router_discovery(struct sk_buff *skb)
>  {
> +	// Check if the buffer contains enough data for the struct ra_msg
> +	if (!pskb_may_pull(skb, skb_transport_offset(skb) + sizeof(struct ra_msg)))
> +		return SKB_DROP_REASON_PKT_TOO_SMALL;

Please run checkpatch.pl.  We don't add code before variable declarations.

Also, the skb is linearized in ndisc_rcv().

> +
>  	struct ra_msg *ra_msg = (struct ra_msg *)skb_transport_header(skb);
>  	bool send_ifinfo_notify = false;
>  	struct neighbour *neigh = NULL;
> -- 
> 2.43.0

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.