From nobody Sat Jun 13 13:37:19 2026
Received: from mail-ed1-f65.google.com (mail-ed1-f65.google.com
 [209.85.208.65])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0CD403A1CE6
	for <linux-kernel@vger.kernel.org>; Thu,  7 May 2026 12:04:47 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.208.65
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778155491; cv=none;
 b=BgI7vGSxLVQi+rSGl9lRfLGJyzbNsap1OQrbiuE5+mk5g3/ZlGhVval2bicEqB3PzZHKuZFmn7+B6wvut1Bxln+AK45Pffh2WMeq3n6W8Vx8EnkzDDBNwK9IUsBhYi3DDo+BmXdJars5AItY22wLpz052lEDHj1qmkbfVNeHGw0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778155491; c=relaxed/simple;
	bh=hSUG09nHENB3l3k2WSy3g2qFr4tySgF/qi/LSfVUZ/M=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=DE7rcJgdXa+JynZjd/gLFTN6BuZetANi+caYFj/mVIQm3OgVUkMIWdKsMqN7qWex9hKlDJkFHgrkY6WEocI1Z/ov9AgYRMtaS4itLnx5qTU6XN71IuW4OaGyetyjDYwd1/cFMtAXDJlOjiM6rwyYWXaOOxjf3QVhQM4d4ajog48=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=ovn.org;
 spf=pass smtp.mailfrom=gmail.com; arc=none smtp.client-ip=209.85.208.65
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=ovn.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Received: by mail-ed1-f65.google.com with SMTP id
 4fb4d7f45d1cf-65c0891f4e9so1190287a12.1
        for <linux-kernel@vger.kernel.org>;
 Thu, 07 May 2026 05:04:47 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1778155484; x=1778760284;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=6VSQz3qWSBmu4rhZHr1DZdjiE1xIcn8ousLUryflVY8=;
        b=PvuHOtWinyZOJPy1m4I0ONk6lJGOSGFVui1qgywOyXKHvyEPvMPem1ATEFijs18tfa
         vy13uHxlBnT3pSFJqNc6xybXMX5LvLhJJpkDL26yfrH4I8dPcfpwT2AyldUm6Luob3FH
         h+u042wvD/fyeOTj1AM6N/A4bC1j0bpgqJcmlXell2aEY4OEkULhtOCEf+FFXMRoAaKT
         tbkzGK6XH8ETAviGVi3nUbPPzco7V7be8MUiMZPFx4jFIzBZzBHHEHjRkhIkxYQS9lYg
         0OVReqPPVuA/LxTeo43esBzSE1pF+aKYUvyFCB9ibXmbnWZFuNJUi5YfnLSnnskog9Ov
         IL0Q==
X-Forwarded-Encrypted: i=1;
 AFNElJ+JFJvQ4FqnPlP2Vovw62uZbUbl8lK3LF0xM3O8GmOXXknW0wG0icLj1F9WARviu10f1WppqFvWirW8b0c=@vger.kernel.org
X-Gm-Message-State: AOJu0YyS7GbBQA19dtyx57GrCi1SMfim3DjPxz0FDQwPAUP9Db0DGA6l
	6C0EQsXtCmxwIh9tojyKBbuD1rY7Uoxbdhzo03xLCvj5KvaJHz7tvAqF
X-Gm-Gg: AeBDietSsFM2IE2P42DQCChJWCPF8ZfdWn4VOYiqzb4T0mMQWOuJjOTCLhbkBeca/Fl
	p7E/c1a+p8jF867eLtjRENh+SqXEJtF2MZ3/BG2Cc2slKrIkfu3su0exvtWsuZE6u+YnUMuWOiE
	zVuOH634CgrI4FAOdVmpYWwiDaolHWZzUi9+tXyKnKmTHtXaraC2tOPhvjmwmBz80dGQ/s9Iqzf
	x5xfeRvJ7PaSuEF63tI5dSfpIPiG0YnTVipMz428PtlJnqyJcDRTEvNeYQwgKbmpyQtjAAbnYyj
	h7ne6Reqgl0n296q0GG6arrp7rTLMJhflpM53pXEOMN/NQ7ETLqwBCjQ5u3zRIGa85/M+xhcaHg
	OpQ6nAfdU0hKnn6G7yDvza0H+YX9k9qCfIh/vsO9YnZASc35Dh8ghIOqv9YMNO8cwhfGRTxRTpL
	Db1GEV/oZ4vuZNkmByBH9Bf3Xex220GPuXIXYgnNB11z1AjIuy/tuH0ohEnGDOkgQxhm6DEKcnA
	5p5cxDci27JUYsIWXE=
X-Received: by 2002:a05:6402:e07:b0:676:54d5:bc5b with SMTP id
 4fb4d7f45d1cf-67d6489d7c1mr3837204a12.18.1778155483468;
        Thu, 07 May 2026 05:04:43 -0700 (PDT)
Received: from im-t490s.redhat.com (89-24-32-159.nat.epc.tmcz.cz.
 [89.24.32.159])
        by smtp.gmail.com with ESMTPSA id
 4fb4d7f45d1cf-67cd90efee1sm2006365a12.11.2026.05.07.05.04.42
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 07 May 2026 05:04:43 -0700 (PDT)
From: Ilya Maximets <i.maximets@ovn.org>
To: netdev@vger.kernel.org
Cc: Aaron Conole <aconole@redhat.com>,
	Eelco Chaudron <echaudro@redhat.com>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	Simon Horman <horms@kernel.org>,
	Jiri Benc <jbenc@redhat.com>,
	Yi Yang <yi.y.yang@intel.com>,
	dev@openvswitch.org,
	linux-kernel@vger.kernel.org,
	Ilya Maximets <i.maximets@ovn.org>
Subject: [PATCH net] net: nsh: fix incorrect header length macros
Date: Thu,  7 May 2026 14:04:26 +0200
Message-ID: <20260507120434.2962505-1-i.maximets@ovn.org>
X-Mailer: git-send-email 2.53.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

NSH header length is a 6-bit field that encodes the total length of
the header in 4-byte words.  So the maximum length is 0b111111 * 4,
which is 252 and not 256.  The maximum context length is the same
number minus the length of the base header (8), so 244.

These macros are used to validate push_nsh() action in openvswitch.
Miscalculation here doesn't cause any real issues.  In the worst case
the oversized context is truncated while building the header, so we'll
construct and send a broken packet, which is not a big problem, as any
receiver should validate the fields.  No invalid memory accesses will
happen during the header push.  But we should fix the macros to reject
the incorrect actions in the first place.

Using previously defined values and calculating the length instead
of defining numbers directly, so it's easier to understand where they
come from and harder to make a mistake.

Fixes: 1f0b7744c505 ("net: add NSH header structures and helpers")
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Reviewed-by: Aaron Conole <aconole@redhat.com>
---

These macros were fixed in the userspace variant of this header some
years ago (by just adjusting the numbers though):
  https://patchwork.ozlabs.org/project/openvswitch/patch/1540503710-23597-1=
-git-send-email-pkusunyifeng@gmail.com/
And there was a patch a few weeks ago with the attempt to change the
validation for push_nsh() instead of fixing the macros:
  https://lore.kernel.org/all/9d2b5c6127e149ebd35094d662bfd008c20347c2.1777=
120226.git.ldy3087146292@gmail.com/
I haven't heard back from the author, so sending this patch myself
to cross it out of my todo list.  It's not a v2, as it's more of a
separate change, even though the outcome is similar.

 include/net/nsh.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/net/nsh.h b/include/net/nsh.h
index 16a7510938969..15a26c5908151 100644
--- a/include/net/nsh.h
+++ b/include/net/nsh.h
@@ -247,10 +247,10 @@ struct nshhdr {
 #define NSH_M_TYPE1_LEN   24
=20
 /* NSH header maximum Length. */
-#define NSH_HDR_MAX_LEN 256
+#define NSH_HDR_MAX_LEN ((NSH_LEN_MASK >> NSH_LEN_SHIFT) * 4)
=20
 /* NSH context headers maximum Length. */
-#define NSH_CTX_HDRS_MAX_LEN 248
+#define NSH_CTX_HDRS_MAX_LEN (NSH_HDR_MAX_LEN - NSH_BASE_HDR_LEN)
=20
 static inline struct nshhdr *nsh_hdr(struct sk_buff *skb)
 {
--=20
2.53.0