net/hsr/hsr_forward.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
From: Luka Gejak <luka.gejak@linux.dev>
Supervision frames are only valid if terminated with a zero-length EOT
TLV. The current check fails to reject non-EOT entries as the terminal
TLV, potentially allowing malformed supervision traffic.
Fix this by strictly requiring the terminal TLV to be HSR_TLV_EOT with
a length of zero.
Assisted-by: Gemini:Gemini-3.1-flash
Signed-off-by: Luka Gejak <luka.gejak@linux.dev>
---
Changes in v7:
- Send as standalone patch as other patch was moved to net. See NOTE.
NOTE: This patch was previously part of a net-next series and was
seperated as requested by Jakub Kicinski. Link to the old series is [1].
[1]:https://lore.kernel.org/netdev/20260513182657.20346-1-luka.gejak@linux.dev/
net/hsr/hsr_forward.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
index f669a226d728..0774981a65c1 100644
--- a/net/hsr/hsr_forward.c
+++ b/net/hsr/hsr_forward.c
@@ -110,7 +110,7 @@ static bool is_supervision_frame(struct hsr_priv *hsr, struct sk_buff *skb)
}
/* end of tlvs must follow at the end */
- if (hsr_sup_tlv->HSR_TLV_type == HSR_TLV_EOT &&
+ if (hsr_sup_tlv->HSR_TLV_type != HSR_TLV_EOT ||
hsr_sup_tlv->HSR_TLV_length != 0)
return false;
--
2.54.0On 5/23/26 3:04 PM, luka.gejak@linux.dev wrote: > From: Luka Gejak <luka.gejak@linux.dev> > > Supervision frames are only valid if terminated with a zero-length EOT > TLV. The current check fails to reject non-EOT entries as the terminal > TLV, potentially allowing malformed supervision traffic. > > Fix this by strictly requiring the terminal TLV to be HSR_TLV_EOT with > a length of zero. > > Assisted-by: Gemini:Gemini-3.1-flash > Signed-off-by: Luka Gejak <luka.gejak@linux.dev> Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
© 2016 - 2026 Red Hat, Inc.