1. Patchew
  2. linux
  3. View series

[PATCH] xfrm: iptfs: validate inner IPv4 header length in IPTFS payload

Roshan Kumar posted 1 patch 1 month, 2 weeks ago 
net/xfrm/xfrm_iptfs.c | 5 +++++
1 file changed, 5 insertions(+)
[PATCH] xfrm: iptfs: validate inner IPv4 header length in IPTFS payload
Posted by Roshan Kumar 1 month, 2 weeks ago 
Add validation of the inner IPv4 packet tot_len and ihl fields parsed
from decrypted IPTFS payloads in __input_process_payload(). A crafted
ESP packet containing an inner IPv4 header with tot_len=0 causes an
infinite loop: iplen=0 leads to capturelen=min(0, remaining)=0, so the
data offset never advances and the while(data < tail) loop never
terminates, spinning forever in softirq context.

Reject inner IPv4 packets where tot_len < ihl*4 or ihl*4 < sizeof(struct
iphdr), which catches both the tot_len=0 case and malformed ihl values.
The normal IP stack performs this validation in ip_rcv_core(), but IPTFS
extracts and processes inner packets before they reach that layer.

Reported-by: Roshan Kumar <roshaen09@gmail.com>
Fixes: 6c82d2433671 ("xfrm: iptfs: add basic receive packet (tunnel egress) handling")
Cc: stable@vger.kernel.org
Signed-off-by: Roshan Kumar <roshaen09@gmail.com>
---
 net/xfrm/xfrm_iptfs.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/xfrm/xfrm_iptfs.c b/net/xfrm/xfrm_iptfs.c
index 050a82101ca5..4cd0747367bd 100644
--- a/net/xfrm/xfrm_iptfs.c
+++ b/net/xfrm/xfrm_iptfs.c
@@ -991,6 +991,11 @@ static bool __input_process_payload(struct xfrm_state *x, u32 data,
 
 			iplen = be16_to_cpu(iph->tot_len);
 			iphlen = iph->ihl << 2;
+			if (iplen < iphlen || iphlen < sizeof(*iph)) {
+				XFRM_INC_STATS(net,
+					       LINUX_MIB_XFRMINHDRERROR);
+				goto done;
+			}
 			protocol = cpu_to_be16(ETH_P_IP);
 			XFRM_MODE_SKB_CB(skbseq->root_skb)->tos = iph->tos;
 		} else if (iph->version == 0x6) {
-- 
2.48.1
Re: [PATCH] xfrm: iptfs: validate inner IPv4 header length in IPTFS payload
Posted by Steffen Klassert 1 month, 1 week ago 
On Sun, Mar 01, 2026 at 10:56:38AM +0000, Roshan Kumar wrote:
> Add validation of the inner IPv4 packet tot_len and ihl fields parsed
> from decrypted IPTFS payloads in __input_process_payload(). A crafted
> ESP packet containing an inner IPv4 header with tot_len=0 causes an
> infinite loop: iplen=0 leads to capturelen=min(0, remaining)=0, so the
> data offset never advances and the while(data < tail) loop never
> terminates, spinning forever in softirq context.
> 
> Reject inner IPv4 packets where tot_len < ihl*4 or ihl*4 < sizeof(struct
> iphdr), which catches both the tot_len=0 case and malformed ihl values.
> The normal IP stack performs this validation in ip_rcv_core(), but IPTFS
> extracts and processes inner packets before they reach that layer.
> 
> Reported-by: Roshan Kumar <roshaen09@gmail.com>
> Fixes: 6c82d2433671 ("xfrm: iptfs: add basic receive packet (tunnel egress) handling")
> Cc: stable@vger.kernel.org
> Signed-off-by: Roshan Kumar <roshaen09@gmail.com>

Applied to the ipsec tree, thanks a lot!

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.