From nobody Mon Jun 8 19:00:26 2026 Received: from azure-sdnproxy.icoremail.net (azure-sdnproxy.icoremail.net [13.75.44.102]) by smtp.subspace.kernel.org (Postfix) with ESMTP id EE8C93BB114; Wed, 27 May 2026 08:32:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=13.75.44.102 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779870751; cv=none; b=U5i6w0npK5ciZzqth8nWRwKOD0GWK8kqWcHVgSi1/QhxaCAoPiDFzx/2D/bRkcvYE2OMOvbQHFVhLAuqCh1EKMJloT1VD/B87OEzRcNmPhAiIi7pAqUgcWMXIWyJKJrlh9p5VSMy2R6+OytPngRBH+5XHfnfzXE6SCuxA8LGCxU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779870751; c=relaxed/simple; bh=1OzluBvLb3n/VSrlrmLReW7l7unbAKPPQBPTnXCYKGo=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=aYrVrQ8ApXeAc26clpQPGzrfVmwVVrrGGdKsYqUYA341L455iU5NVWX0wWy38VIpJAIPSDru3ZT4H4/5IhvJsxfThUYJ09JK8hWJRPOsGob/6dk0t2roSutroe0bi5rstI1MCy26/1JYXFcw4a3m97j3yvwmDZAVBkEjQ/3uJgA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=mails.tsinghua.edu.cn; spf=pass smtp.mailfrom=mails.tsinghua.edu.cn; dkim=pass (1024-bit key) header.d=mails.tsinghua.edu.cn header.i=@mails.tsinghua.edu.cn header.b=KvhLQX5B; arc=none smtp.client-ip=13.75.44.102 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=mails.tsinghua.edu.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=mails.tsinghua.edu.cn Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=mails.tsinghua.edu.cn header.i=@mails.tsinghua.edu.cn header.b="KvhLQX5B" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mails.tsinghua.edu.cn; s=dkim; h=Received:From:To:Cc:Subject: Date:Message-ID:MIME-Version:Content-Transfer-Encoding; bh=2MyoV FmX94jcjdhdgzAlw/zcb7d4MYnwe/dY8rWgqC4=; b=KvhLQX5BuE+0pF34THJQk rdv1sDzJCEj+THE8H4h2QBMC8c33++MlGebT6BpyTdPxUlVwI69046xkEhbCb3mP hkZeYgNSRo8ArfL+p6I418lk9SYA98wOn2uoDETT66NRUe2tOaQb9QFzqGk1B3ev cMbGoNLGiyRNgC7CD6Bq+w= Received: from localhost.localdomain (unknown [211.102.241.99]) by web3 (Coremail) with SMTP id ygQGZQA3g5AJrBZqv8rtAQ--.30987S2; Wed, 27 May 2026 16:32:09 +0800 (CST) From: Yizhou Zhao To: netdev@vger.kernel.org Cc: Yizhou Zhao , "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , linux-kernel@vger.kernel.org, Yuxiang Yang , Ao Wang , Xuewei Feng , Qi Li , Ke Xu Subject: [PATCH net] net: garp: fix unsigned integer underflow in garp_pdu_parse_attr Date: Wed, 27 May 2026 16:31:58 +0800 Message-ID: <20260527083200.42861-1-zhaoyz24@mails.tsinghua.edu.cn> X-Mailer: git-send-email 2.46.2 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: ygQGZQA3g5AJrBZqv8rtAQ--.30987S2 X-Coremail-Antispam: 1UD129KBjvJXoW7ury5Kry7WFW5tFy7AFyrWFg_yoW8Ww17pa y0k3s0yFW2yry3X392yw429a15GFs3CFyxJryUKFyUZFnxW3WxJFy8KFWaqrWYyFykKF1q ya4Dt3yUGrs8Zr7anT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUP014x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4U JVWxJr1l84ACjcxK6I8E87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_Gc CE3s1lnxkEFVAIw20F6cxK64vIFxWle2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xv F2IEw4CE5I8CrVC2j2WlYx0E2Ix0cI8IcVAFwI0_JrI_JrylYx0Ex4A2jsIE14v26r1j6r 4UMcvjeVCFs4IE7xkEbVWUJVW8JwACjcxG0xvY0x0EwIxGrwACjI8F5VA0II8E6IAqYI8I 648v4I1lFIxGxcIEc7CjxVA2Y2ka0xkIwI1lc7CjxVAaw2AFwI0_Jw0_GFylc2xSY4AK67 AK6r43MxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E5I8CrVAF wI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVWUtVW8ZwCIc4 0Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8IcVCY1x0267AK xVW8JVWxJwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAFwI0_Jr0_Gr 1lIxAIcVC2z280aVCY1x0267AKxVW8JVW8JrUvcSsGvfC2KfnxnUUI43ZEXa7VUbasjUUU UUU== X-CM-SenderInfo: 52kd05r2suqzpdlo2hxwvl0wxkxdhvlgxou0/1tbiAQEAAWoWnq0fWQAAsI Content-Type: text/plain; charset="utf-8" The receive-side GARP attribute parser computes dlen with reversed operands: dlen =3D sizeof(*ga) - ga->len; ga->len is the on-wire attribute length and includes the GARP attribute header. For normal attributes with data, ga->len is larger than sizeof(*ga), so the subtraction underflows in unsigned arithmetic. The resulting value is later passed to garp_attr_lookup(), whose length argument is u8. After truncation, the parsed data length usually no longer matches the length stored for locally registered attributes, so received Join/Leave events are ignored. This breaks the GARP receive path for common attributes, such as GVRP VLAN registration attributes. Compute the data length as the attribute length minus the header length. Fixes: eca9ebac651f ("net: Add GARP applicant-only participant") Reported-by: Yizhou Zhao Reported-by: Yuxiang Yang Reported-by: Ao Wang Reported-by: Xuewei Feng Reported-by: Qi Li Reported-by: Ke Xu Assisted-by: GLM:GLM-5.1 Signed-off-by: Yizhou Zhao Reviewed-by: Simon Horman --- diff --git a/net/802/garp.c b/net/802/garp.c index 6f563b6..c7a39f2 100644 --- a/net/802/garp.c +++ b/net/802/garp.c @@ -453,7 +453,7 @@ static int garp_pdu_parse_attr(struct garp_applicant *a= pp, struct sk_buff *skb, if (!pskb_may_pull(skb, ga->len)) return -1; skb_pull(skb, ga->len); - dlen =3D sizeof(*ga) - ga->len; + dlen =3D ga->len - sizeof(*ga); =20 if (attrtype > app->app->maxattr) return 0; -- 2.43.0