From nobody Mon Jun 8 05:25:29 2026 Received: from mail-ua1-f51.google.com (mail-ua1-f51.google.com [209.85.222.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 832C241360E for ; Fri, 5 Jun 2026 15:29:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780673366; cv=none; b=UwmKbbgx/S63JZg1bBys9Jx4WZ6MxwNRZ51vQCbJBxLjdSJODkIdPwBHtIhOO0bRUhK9lFCoV9K0WEzT4EzJSpIDMVEePnNcBweh/t5l5g/EOCb3DvBSlN/+w/eujqEXk77ceiM3zgB2h1WrFeRavSBSxK9XnmcouInA7aHLhRc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780673366; c=relaxed/simple; bh=IFLbNTdkkygo2ZmuL1ZJhn7oU5AvnzXIa6i9xtglSA0=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=lOzIWVo+/iMqWlsw5ZX5ls/vIQa2j7KXPyD6TYdogd6rCcrx4Ohv688j+bSwZ38Rr/MotRGxfae62acp7HXkXkVJZ0Sn33T7kbKiyRtACHMhfKkVpA7QrM0ITXmAYQY/jVBysv2ch3M4gtFaNxx7WNfaHHsZlushJmlSyTxckDY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=trailofbits.com; spf=pass smtp.mailfrom=trailofbits.com; dkim=pass (2048-bit key) header.d=trailofbits.com header.i=@trailofbits.com header.b=S1sSUG9X; arc=none smtp.client-ip=209.85.222.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=trailofbits.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=trailofbits.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=trailofbits.com header.i=@trailofbits.com header.b="S1sSUG9X" Received: by mail-ua1-f51.google.com with SMTP id a1e0cc1a2514c-963b70c2678so1521282241.0 for ; Fri, 05 Jun 2026 08:29:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=trailofbits.com; s=google; t=1780673361; x=1781278161; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=7rgGq4eLKAvgdfu9bgs5mHMDHpw4BqD71BMCje2A/kA=; b=S1sSUG9X/IdVisCXRbW2YNLred2caBcN4yPMKWTVchLaGUQV8U6DzXv/3GDPXXNBhs wa0VRzK7hVrGdr46mWbPof850ouqqjpGCAkniiPKT2+FC8jT/If7e1MziWPN4wBWv7gY SOas5a/jBRwNboqt49j8F4LAHuop028KpjkLZ7XbsIGHxldiQtCpAtAvkJnvdKbO6UOJ JgFRmQYhCqDnTzU5zuDP0ZZedmAnreG4pxSboNb2iR2IQ3jpoyHvby1ePCbD4JCCPMgA faiB+tnUdEP2KYDnSZ84b80Zf34zB8h2OPxHhLVQ/efyI4V0j64gWlZriExYAO7+8OuU mzyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780673361; x=1781278161; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=7rgGq4eLKAvgdfu9bgs5mHMDHpw4BqD71BMCje2A/kA=; b=q91QrdK3pebUSEh1ZvUbGi3Fgc1eac0rsn3kaUtbRbKpFMQT2DHrxUrxssSi2fqtA4 aBfj0aaWkOI1/Sw6wjEX8ynqGO15pH5QA3oRHAwJaJguz/WWAZBWROdr+N3RdRleoov4 S1MmLJ8bHATYIxUmXWaX7FUAIrqEtio68TBC8QrUpDwZcu5YMMYI/Q6xBNWIbYSHoAFn /oF41ys7XJqaxGw+2jlgo0LAU6lfQC1rTrQim6HwHudhhMwqkcQ/bhttTi4XL/ztd6Gx QUKlbG78qXkr9UFLZXg218g8yfD8S1QnCGuXzANJbcRYaUYDu4omnLj4nfacvDraybz8 OCWA== X-Forwarded-Encrypted: i=1; AFNElJ8+MW8vWurTdZ/nQnWZPg1ZE0AZ+yOKXFOHzHaaknz1OuD1qXSopWxrAMQm8UjhdlHYj4hEB53ZoRQH+D8=@vger.kernel.org X-Gm-Message-State: AOJu0YyZSUI+4iCh9ldaJSxF1j2bMCLShFMovDygOl0Jr0rpq2sqmEMg YHvu4SQSAh2CMOQRsQOBVfId6Zw4Uavhk20RS3LkayNb3GFcCX8exMJJgFnLqKA/zgGnMQyoe09 oB7wg3iE= X-Gm-Gg: Acq92OEZVehlRKVLOMf8Bs/h0dnlEt8tbWXItXwo52NhYjibTjam02qfnhKLgENbH6U cwVXdr8YnMsxOVVFyffT2vx/qXRJZhwO+W68KMAl/RrAyoBl8cKeVmhbPeZ2Iae3m5sRD75alZ3 rwIlSezBJ+LwrSUV3+rggBacG5JM412ClCdFrUULUBjf9kD92GN16mvehBEvZch6glHFbYZb+Cl I3Nbp1VaHy0AdDOUzf077QSEd2bgPkzluiMl5RNbmAPXyWVZDrtWRXwXx666SsbWzhJRukB88fX tteYR/srrH0R043cvgec1x4YyPD0QfL6Z660rGZ3o9nf19kZm87RAf69PmTTqhkVdj/W9LYWh+p kmy6bbHjXN0pXdDGu71dotf69TaKkUMPNqcb3Koy8v3nlcCdGZ9RRPz3Vr+H7X6lrPLpiHTACow ca1Ry47LUe64YlxO7zROmnRw+MeGvqHftLhOjS/A== X-Received: by 2002:a05:6102:2922:b0:6ef:dc8c:9367 with SMTP id ada2fe7eead31-6feed1a226bmr2360914137.5.1780673361196; Fri, 05 Jun 2026 08:29:21 -0700 (PDT) Received: from localhost ([161.35.96.86]) by smtp.gmail.com with UTF8SMTPSA id 6a1803df08f44-8ceccd9fa7fsm85758656d6.9.2026.06.05.08.29.20 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 05 Jun 2026 08:29:20 -0700 (PDT) From: Samuel Moelius To: Jamal Hadi Salim Cc: Samuel Moelius , Jiri Pirko , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , netdev@vger.kernel.org (open list:TC subsystem), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] net/sched: act_csum: skip malformed IPv4 headers Date: Fri, 5 Jun 2026 15:29:15 +0000 Message-ID: <20260605152916.2125473-1-sam.moelius@trailofbits.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" act_csum trusts the IPv4 IHL field before using it to locate transport header fields. Packets with an invalid short IHL can make the action write checksum data into the IPv4 header instead of the intended L4 header. The action should not repair or modify packets whose IPv4 header length is invalid. Treat those packets as not eligible for checksum repair and leave the configured action result unchanged. Return success without updating checksums when the IPv4 version, IHL, or total length cannot describe a complete IPv4 header. Assisted-by: Codex:gpt-5.5-cyber-preview Signed-off-by: Samuel Moelius --- net/sched/act_csum.c | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/net/sched/act_csum.c b/net/sched/act_csum.c index a9e4635d899e..faedf6abd448 100644 --- a/net/sched/act_csum.c +++ b/net/sched/act_csum.c @@ -385,6 +385,8 @@ static int tcf_csum_sctp(struct sk_buff *skb, unsigned = int ihl, static int tcf_csum_ipv4(struct sk_buff *skb, u32 update_flags) { const struct iphdr *iph; + unsigned int ihl; + unsigned int ipl; int ntkoff; =20 ntkoff =3D skb_network_offset(skb); @@ -393,41 +395,43 @@ static int tcf_csum_ipv4(struct sk_buff *skb, u32 upd= ate_flags) goto fail; =20 iph =3D ip_hdr(skb); + if (iph->version !=3D 4 || iph->ihl < 5) + return 1; + + ihl =3D iph->ihl * 4; + ipl =3D ntohs(iph->tot_len); + if (ipl < ihl) + return 1; =20 switch (iph->frag_off & htons(IP_OFFSET) ? 0 : iph->protocol) { case IPPROTO_ICMP: if (update_flags & TCA_CSUM_UPDATE_FLAG_ICMP) - if (!tcf_csum_ipv4_icmp(skb, iph->ihl * 4, - ntohs(iph->tot_len))) + if (!tcf_csum_ipv4_icmp(skb, ihl, ipl)) goto fail; break; case IPPROTO_IGMP: if (update_flags & TCA_CSUM_UPDATE_FLAG_IGMP) - if (!tcf_csum_ipv4_igmp(skb, iph->ihl * 4, - ntohs(iph->tot_len))) + if (!tcf_csum_ipv4_igmp(skb, ihl, ipl)) goto fail; break; case IPPROTO_TCP: if (update_flags & TCA_CSUM_UPDATE_FLAG_TCP) - if (!tcf_csum_ipv4_tcp(skb, iph->ihl * 4, - ntohs(iph->tot_len))) + if (!tcf_csum_ipv4_tcp(skb, ihl, ipl)) goto fail; break; case IPPROTO_UDP: if (update_flags & TCA_CSUM_UPDATE_FLAG_UDP) - if (!tcf_csum_ipv4_udp(skb, iph->ihl * 4, - ntohs(iph->tot_len), 0)) + if (!tcf_csum_ipv4_udp(skb, ihl, ipl, 0)) goto fail; break; case IPPROTO_UDPLITE: if (update_flags & TCA_CSUM_UPDATE_FLAG_UDPLITE) - if (!tcf_csum_ipv4_udp(skb, iph->ihl * 4, - ntohs(iph->tot_len), 1)) + if (!tcf_csum_ipv4_udp(skb, ihl, ipl, 1)) goto fail; break; case IPPROTO_SCTP: if ((update_flags & TCA_CSUM_UPDATE_FLAG_SCTP) && - !tcf_csum_sctp(skb, iph->ihl * 4, ntohs(iph->tot_len))) + !tcf_csum_sctp(skb, ihl, ipl)) goto fail; break; } --=20 2.43.0