From nobody Fri Apr 3 01:29:32 2026 Received: from azure-sdnproxy.icoremail.net (azure-sdnproxy.icoremail.net [13.75.44.102]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 4B1E81EFF8D; Thu, 26 Mar 2026 03:45:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=13.75.44.102 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774496727; cv=none; b=GyCXubnmDPn/TLryUgfEUYTbsopg/pNJwZ/1UjPru0m7KaIob8DZjSs9KYHIUtiQRmBfVHEZwok6Kk7oH1RHBHrngv3eCTkHvnOBQM9I9z/ndN4TGDgrCANIO5Isc7A6MGyc0ka+3IP4fS5n4EalkkaPbJOrPl6KF8AvOd7Zy2s= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774496727; c=relaxed/simple; bh=beJ4kJCUh77M+0OjruraxmA2avY/zeYVQ93RUppVsqA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=sSGnHEr3sIXGVdPxVTJ4lYMpUtMj3o3vbjCwR0cVbT7hcVdtQrPRjquPFyOCdqaRxcgMbjoA4wRUUmULTD20+oKxegzbxmdCZSSIc93CKUmz3VIXpHOKtvi/ybEAUPtBYUohKUABRzgMAnJWxV/+Fr7YFwm4EPsz513PhwkLdgg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=lzu.edu.cn; spf=pass smtp.mailfrom=lzu.edu.cn; arc=none smtp.client-ip=13.75.44.102 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=lzu.edu.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=lzu.edu.cn Received: from a800-server-1.tail7779b.ts.net (unknown [172.30.111.252]) by app1 (Coremail) with SMTP id ygmowABXyvqpq8RpxwyKAA--.44467S3; Thu, 26 Mar 2026 11:44:50 +0800 (CST) From: Yang Yang To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, razor@blackwall.org, idosch@nvidia.com Cc: andrew+netdev@lunn.ch, horms@kernel.org, florian.fainelli@broadcom.com, roopa@cumulusnetworks.com, dlstevens@us.ibm.com, nb@tipi-net.de, netdev@vger.kernel.org, bridge@lists.linux.dev, linux-kernel@vger.kernel.org, yifanwucs@gmail.com, tomapufckgml@gmail.com, tanyuan98@outlook.com, bird@lzu.edu.cn, n05ec@lzu.edu.cn Subject: [PATCH net 1/3] bridge: br_nd_send: linearize skb before parsing ND options Date: Thu, 26 Mar 2026 03:44:39 +0000 Message-ID: <20260326034441.2037420-2-n05ec@lzu.edu.cn> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260326034441.2037420-1-n05ec@lzu.edu.cn> References: <20260326034441.2037420-1-n05ec@lzu.edu.cn> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: ygmowABXyvqpq8RpxwyKAA--.44467S3 X-Coremail-Antispam: 1UD129KBjvJXoWxZF1rAr1fKw1xCrW5GF47twb_yoW5GFWDpF W7KanYkrWDZrn0gw40yFW8uw1ayr4kGFW3Kr92y3yFvFn8KFn2kFWDtFnIvF1ruF4S9rW3 Zr1q9rnIvr1DXrJanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUBY1xkIjI8I6I8E6xAIw20EY4v20xvaj40_JFC_Wr1l1IIY67AE w4v_Jr0_Jr4l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2 IY67AKxVW7JVWDJwA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxVW8Jr0_Cr1UM28EF7xvwVC2 z280aVAFwI0_GcCE3s1l84ACjcxK6I8E87Iv6xkF7I0E14v26rxl6s0DM2AIxVAIcxkEcV Aq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMcIj6xIIjxv20xvE14v26r1j 6r18McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IYc2Ij64 vIr41lF7I21c0EjII2zVCS5cI20VAGYxC7M4IIrI8v6xkF7I0E8cxan2IY04v7MxkF7I0E n4kS14v26r4a6rW5MxkIecxEwVCm-wCF04k20xvY0x0EwIxGrwCF04k20xvE74AGY7Cv6c x26r48MxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCj r7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVW8ZVWrXwCIc40Y0x0EwIxGrwCI42IY6x IIjxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8IcVCY1x0267AKxVW8JVWxJwCI42IY6xAI w20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x 0267AKxVW8JVW8JrUvcSsGvfC2KfnxnUUI43ZEXa7sRi_HU3UUUUU== X-CM-SenderInfo: zqqvvuo6o23hxhgxhubq/1tbiAQUSCWnEBPoIyAAAsM Content-Type: text/plain; charset="utf-8" br_nd_send() parses neighbour discovery options from ns->opt[] and assumes that these options are in the linear part of request. Its callers only guarantee that the ICMPv6 header and target address are available, so the option area can still be non-linear. Parsing ns->opt[] in that case can access data past the linear buffer. Linearize request before option parsing and derive ns from the linear network header. Fixes: ed842faeb2bd ("bridge: suppress nd pkts on BR_NEIGH_SUPPRESS ports") Reported-by: Yifan Wu Reported-by: Juefei Pu Tested-by: Ao Zhou Co-developed-by: Yuan Tan Signed-off-by: Yuan Tan Suggested-by: Xin Liu Signed-off-by: Yang Yang Acked-by: Nikolay Aleksandrov Reviewed-by: Ido Schimmel --- net/bridge/br_arp_nd_proxy.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/net/bridge/br_arp_nd_proxy.c b/net/bridge/br_arp_nd_proxy.c index 1e2b51769eec8..af3d1e33f50b8 100644 --- a/net/bridge/br_arp_nd_proxy.c +++ b/net/bridge/br_arp_nd_proxy.c @@ -251,12 +251,12 @@ struct nd_msg *br_is_nd_neigh_msg(const struct sk_buf= f *skb, struct nd_msg *msg) =20 static void br_nd_send(struct net_bridge *br, struct net_bridge_port *p, struct sk_buff *request, struct neighbour *n, - __be16 vlan_proto, u16 vlan_tci, struct nd_msg *ns) + __be16 vlan_proto, u16 vlan_tci) { struct net_device *dev =3D request->dev; struct net_bridge_vlan_group *vg; + struct nd_msg *na, *ns; struct sk_buff *reply; - struct nd_msg *na; struct ipv6hdr *pip6; int na_olen =3D 8; /* opt hdr + ETH_ALEN for target */ int ns_olen; @@ -264,7 +264,7 @@ static void br_nd_send(struct net_bridge *br, struct ne= t_bridge_port *p, u8 *daddr; u16 pvid; =20 - if (!dev) + if (!dev || skb_linearize(request)) return; =20 len =3D LL_RESERVED_SPACE(dev) + sizeof(struct ipv6hdr) + @@ -281,6 +281,8 @@ static void br_nd_send(struct net_bridge *br, struct ne= t_bridge_port *p, skb_set_mac_header(reply, 0); =20 daddr =3D eth_hdr(request)->h_source; + ns =3D (struct nd_msg *)(skb_network_header(request) + + sizeof(struct ipv6hdr)); =20 /* Do we need option processing ? */ ns_olen =3D request->len - (skb_network_offset(request) + @@ -472,9 +474,9 @@ void br_do_suppress_nd(struct sk_buff *skb, struct net_= bridge *br, if (vid !=3D 0) br_nd_send(br, p, skb, n, skb->vlan_proto, - skb_vlan_tag_get(skb), msg); + skb_vlan_tag_get(skb)); else - br_nd_send(br, p, skb, n, 0, 0, msg); + br_nd_send(br, p, skb, n, 0, 0); replied =3D true; } =20 --=20 2.43.0