From nobody Mon Jun  8 04:15:17 2026
Received: from mail-qt1-f180.google.com (mail-qt1-f180.google.com
 [209.85.160.180])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id EC2123161A1
	for <linux-kernel@vger.kernel.org>; Sun,  7 Jun 2026 19:36:33 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.160.180
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780860995; cv=none;
 b=fL7duo2Usd90ViXUdZgVlcyI2HR2LmVSMmS0ow9b+/AXk7vVwH0o48Zm8iZwnt46TkFC0T0WIS79Oz6aBYu9OF+BhTxVAemK7RwOX+8RE1XJC1vjM+x9kvfFNjjoZIb8sZelXoc7ZU97LpLYH6ieuQoFP5w8DKwtJ4eUZN0uMwI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780860995; c=relaxed/simple;
	bh=z6wUJkcK3a3hmv5kqjzLvlF/m1n8D4xOw1dvhkAbUtc=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=mYpm1dR1Maz80sneb4C6VLD3uvPwosU02AKryM9ZT1FLTLDltAEHvFrvLVOC9/Kk87+ixTdHzHoVfcylTg8UFp9lje330sLxUrKWz6j4KTvFID5km3bOo5b6UsWLEJ674wvGyztQ0mcgNf6SQNfSp8nOLKIBZ3vPry44hVL2voY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=trailofbits.com;
 spf=pass smtp.mailfrom=trailofbits.com;
 dkim=pass (2048-bit key) header.d=trailofbits.com header.i=@trailofbits.com
 header.b=j0ChbRs0; arc=none smtp.client-ip=209.85.160.180
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=trailofbits.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=trailofbits.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=trailofbits.com header.i=@trailofbits.com
 header.b="j0ChbRs0"
Received: by mail-qt1-f180.google.com with SMTP id
 d75a77b69052e-5176d4c14f5so30425431cf.0
        for <linux-kernel@vger.kernel.org>;
 Sun, 07 Jun 2026 12:36:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=trailofbits.com; s=google; t=1780860993; x=1781465793;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=sUmFtnwXcLgoMd8peK2Y4+0rrThIeVZcm4BZaIh1vuU=;
        b=j0ChbRs0MmgtWNNdxjn7tYKaMiRXOtQdkAqZ84VOup0Igzwk6aZyKTUWKcVlLrOj/A
         8de86UjdZY4aVIce5cMH0P43dO9haTk0DQ18rsfuUI2NM7NzeS1p0e3XfP8Q9PjmBa5+
         oCrurPpo5dlXveZJ9V7oySAqXtCe49oCvqu8L2mReEKWpiKnSv9e6fBOnBfBWy3V047p
         BSv8vpBpcPcibGoIxBArvQiOBOuT3qOralKuLlHwTsNZPcqpwv3V9U9PYBlf90hAV7z8
         +qprIGd3qlr8BXHRkkEoVpah5rsO+7AmR4SlHgP24s/2DMBQqV6GRSCmv4zx4VlTO9Jv
         TZOg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780860993; x=1781465793;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=sUmFtnwXcLgoMd8peK2Y4+0rrThIeVZcm4BZaIh1vuU=;
        b=GMN4cJ9RCo4yXpMHfVmv4tO02XBO/pvXuRPHQNCj+XJ1D/HCghNHmx5J547DSktEKU
         8D7GTCTndQvCph57QQvZlYLW4sXOBzhw9Nh6o0eUORGRAQWpq95tc3eRabb9zkv+fgA+
         bvItRS1Hnhimmojdp++3LVIZJDCdN/lG7/WatxA7HtuKRwAe94S5042ye+W2zJXJUwYn
         0ifaW9bWXC3K4LuI9/uwSmhUiZy9Nw35bisvA+CySimFtaZLw0Z/XhBYY9QrPijrv3up
         fNyDYTFnGISiwi+fLA2T24UPSfJngcv0uxLsUey8aDw79pP05mrhPwLEhye2G5Z2MyHg
         yKxQ==
X-Forwarded-Encrypted: i=1;
 AFNElJ8IaZfZRXbdxyTBHEKV6b8vN8ynNh9K5cya9swy3N8Yi74l24Qa64GvjGtmUB8tFdfixi28YNB1367hPvk=@vger.kernel.org
X-Gm-Message-State: AOJu0Yx/wB3WQUA3SkdfaaxDcGdyLRYICuSKsV+iETL2WyUz/YY2dgT8
	tLWNpoKARvR85vlvc3Sp4kxeUh0NxaF/8Cf/UySqEGool/K5XU2/Qjp6FjwlkDnKszc=
X-Gm-Gg: Acq92OGiUvoX+xAvW8PJpVnyYXo03iqWjoUzvsgNKrPqZbxy0nkTjAbOIF0sto3g2JD
	oPQBtoRsttRQ0z6+GGWa0AWKscUcB292X3OrnmSktOx4jq4zME1NwEmq9QhvqdBfM4CuIw6spkT
	WSCQUhTidmenoH1VcXkFNR8MPt9uuXfnp2KytDwx18MZrmvO2R3ONSuhEDqEP67lW+L91EeVEyr
	85xfVCnt1NW5J7IwW57dmcbR1bW+lZEnVibBTuaF+TvKA5aRcAt13Kx+9yUxE0CAjx7JEEI78dC
	LY1W++WqiFR2S/skhLt3xywCkkhOir+5uUh7fR0GrHRKzx2E52rSyaAnfIqkieTVZbKA3eFVYyM
	nHHJwrRi+JwRxFXR6FwBDYoUYI4w/qOCxrxdoAzaFqjt5jkWJBUFc6Q2T2Bq196EYUcbqKJVb/6
	TZig4eig9UDNXX6Eb6MwopN+1VXNG7Mgb/NdIAgw==
X-Received: by 2002:ac8:7f01:0:b0:517:82a1:351f with SMTP id
 d75a77b69052e-51795ad2ae6mr181641731cf.16.1780860992885;
        Sun, 07 Jun 2026 12:36:32 -0700 (PDT)
Received: from localhost ([161.35.96.86])
        by smtp.gmail.com with UTF8SMTPSA id
 d75a77b69052e-51775c4d7absm129790711cf.11.2026.06.07.12.36.31
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Sun, 07 Jun 2026 12:36:32 -0700 (PDT)
From: Samuel Moelius <sam.moelius@trailofbits.com>
To: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Samuel Moelius <sam.moelius@trailofbits.com>,
	Jiri Pirko <jiri@resnulli.us>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	Simon Horman <horms@kernel.org>,
	netdev@vger.kernel.org (open list:TC subsystem),
	linux-kernel@vger.kernel.org (open list)
Subject: [PATCH v2] net/sched: act_pedit: require matching IPv4 L4 protocol
Date: Sun,  7 Jun 2026 19:35:46 +0000
Message-ID: <20260607193621.1057618-1-sam.moelius@trailofbits.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The extended IPv4 L4 header mode in act_pedit can select TCP or UDP
header fields without confirming that the IPv4 protocol field matches
the selected transport header.

That lets a rule written for TCP or UDP modify unrelated payload bytes
in a packet carrying a different protocol.

Verify that the IPv4 header is long enough, that the protocol matches
the selected TCP or UDP header, and that the packet is not a non-initial
fragment before applying TCP or UDP extended header edits.

Assisted-by: Codex:gpt-5.5-cyber-preview
Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
---
Changes in v2
  - Add check of iph->frag_off & htons(IP_OFFSET)

 net/sched/act_pedit.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index bc20f08a2789..2730accbc56a 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -17,6 +17,7 @@
 #include <linux/ipv6.h>
 #include <linux/slab.h>
 #include <net/ipv6.h>
+#include <net/ip.h>
 #include <net/netlink.h>
 #include <net/pkt_sched.h>
 #include <linux/tc_act/tc_pedit.h>
@@ -341,6 +342,9 @@ static int pedit_l4_skb_offset(struct sk_buff *skb, int=
 *hoffset, const int head
=20
 		if (!iph)
 			goto out;
+		if (iph->ihl < 5 || iph->protocol !=3D header_type ||
+		    (iph->frag_off & htons(IP_OFFSET)))
+			goto out;
 		*hoffset =3D noff + iph->ihl * 4;
 		ret =3D 0;
 		break;
--=20
2.43.0