From nobody Fri Apr 3 01:25:09 2026 Received: from zg8tmja2lje4os4yms4ymjma.icoremail.net (zg8tmja2lje4os4yms4ymjma.icoremail.net [206.189.21.223]) by smtp.subspace.kernel.org (Postfix) with ESMTP id AB5BB239085; Thu, 26 Mar 2026 03:45:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=206.189.21.223 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774496728; cv=none; b=MeKU8GMyJcO8HgzkYRWPQ2BKUlkoj4RpBrey9HLtyNpgLvY7bIb2mhZY610DCdcJh1vXe78DjjGES2w3cBIQi45ZM8gk74QrLL7OdR/IIzzCV9TDHjuTfr2BT2gjqRSEDeVEHWh97o13enC1J3qsc0lzzwSd0woVCKTa+X3qDRs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774496728; c=relaxed/simple; bh=aBj5VNvoEcBdybyTO7STTreXFuiPjNIp5eDC+/92SmY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=SD4cmjQUyGcIqUbIyyI2LdJ56bOSOohucuSBO1Ac96UTSvIvgvs1iOMjJLtXpvFm6ZqVUdk8b29AgNTu2xxUh/zPvhNcMuuRcAV0DsxHIOIWifEJ2HLH37TlpqYD7UpFUzktyeB4aM9271q1Nqx9ykDirS3clrkB5EHvEvHpzLw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=lzu.edu.cn; spf=pass smtp.mailfrom=lzu.edu.cn; arc=none smtp.client-ip=206.189.21.223 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=lzu.edu.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=lzu.edu.cn Received: from a800-server-1.tail7779b.ts.net (unknown [172.30.111.252]) by app1 (Coremail) with SMTP id ygmowABXyvqpq8RpxwyKAA--.44467S4; Thu, 26 Mar 2026 11:44:57 +0800 (CST) From: Yang Yang To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, razor@blackwall.org, idosch@nvidia.com Cc: andrew+netdev@lunn.ch, horms@kernel.org, florian.fainelli@broadcom.com, roopa@cumulusnetworks.com, dlstevens@us.ibm.com, nb@tipi-net.de, netdev@vger.kernel.org, bridge@lists.linux.dev, linux-kernel@vger.kernel.org, yifanwucs@gmail.com, tomapufckgml@gmail.com, tanyuan98@outlook.com, bird@lzu.edu.cn, n05ec@lzu.edu.cn Subject: [PATCH net 2/3] bridge: br_nd_send: validate ND option lengths Date: Thu, 26 Mar 2026 03:44:40 +0000 Message-ID: <20260326034441.2037420-3-n05ec@lzu.edu.cn> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260326034441.2037420-1-n05ec@lzu.edu.cn> References: <20260326034441.2037420-1-n05ec@lzu.edu.cn> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: ygmowABXyvqpq8RpxwyKAA--.44467S4 X-Coremail-Antispam: 1UD129KBjvJXoW7Wry7Jw1rGF15Aw1ftrWDurg_yoW8ArWrpF 98KF1FkFZ7ArnIgr4kAF18ur1ft395GFWxGryDC3ySvF1rXF1qy3yqkr9Iqr1xAF1xKr4a yrn0vrn0vF1DAFUanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUBF1xkIjI8I6I8E6xAIw20EY4v20xvaj40_JFC_Wr1l1IIY67AE w4v_Jr0_Jr4l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2 IY67AKxVWDJVCq3wA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxVW8Jr0_Cr1UM28EF7xvwVC2 z280aVAFwI0_GcCE3s1l84ACjcxK6I8E87Iv6xkF7I0E14v26rxl6s0DM2AIxVAIcxkEcV Aq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMcIj6xIIjxv20xvE14v26r1j 6r18McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IYc2Ij64 vIr41lF7I21c0EjII2zVCS5cI20VAGYxC7M4IIrI8v6xkF7I0E8cxan2IY04v7MxkF7I0E n4kS14v26r4a6rW5MxkIecxEwVCm-wCF04k20xvY0x0EwIxGrwCF04k20xvE74AGY7Cv6c x26r48MxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCj r7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVW8ZVWrXwCIc40Y0x0EwIxGrwCI42IY6x IIjxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8IcVCY1x0267AKxVWxJVW8Jr1lIxAIcVCF 04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v26r1j6r4UMIIF0xvEx4A2jsIEc7 CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x0pRpOJnUUUUU= X-CM-SenderInfo: zqqvvuo6o23hxhgxhubq/1tbiAQISCWnEBPoIygAAsJ Content-Type: text/plain; charset="utf-8" br_nd_send() walks ND options according to option-provided lengths. A malformed option can make the parser advance beyond the computed option span or use a too-short source LLADDR option payload. Validate option lengths against the remaining NS option area before advancing, and only read source LLADDR when the option is large enough for an Ethernet address. Fixes: ed842faeb2bd ("bridge: suppress nd pkts on BR_NEIGH_SUPPRESS ports") Cc: stable@vger.kernel.org Reported-by: Yifan Wu Reported-by: Juefei Pu Tested-by: Ao Zhou Co-developed-by: Yuan Tan Signed-off-by: Yuan Tan Suggested-by: Xin Liu Signed-off-by: Yang Yang Acked-by: Nikolay Aleksandrov Reviewed-by: Ido Schimmel --- net/bridge/br_arp_nd_proxy.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/bridge/br_arp_nd_proxy.c b/net/bridge/br_arp_nd_proxy.c index af3d1e33f50b8..6b5595868a39c 100644 --- a/net/bridge/br_arp_nd_proxy.c +++ b/net/bridge/br_arp_nd_proxy.c @@ -288,12 +288,14 @@ static void br_nd_send(struct net_bridge *br, struct = net_bridge_port *p, ns_olen =3D request->len - (skb_network_offset(request) + sizeof(struct ipv6hdr)) - sizeof(*ns); for (i =3D 0; i < ns_olen - 1; i +=3D (ns->opt[i + 1] << 3)) { - if (!ns->opt[i + 1]) { + if (!ns->opt[i + 1] || i + (ns->opt[i + 1] << 3) > ns_olen) { kfree_skb(reply); return; } if (ns->opt[i] =3D=3D ND_OPT_SOURCE_LL_ADDR) { - daddr =3D ns->opt + i + sizeof(struct nd_opt_hdr); + if ((ns->opt[i + 1] << 3) >=3D + sizeof(struct nd_opt_hdr) + ETH_ALEN) + daddr =3D ns->opt + i + sizeof(struct nd_opt_hdr); break; } } --=20 2.43.0