From: Simon Horman <horms@kernel.org>
To: Ren Wei <n05ec@lzu.edu.cn>
Cc: netdev@vger.kernel.org, jhs@mojatatu.com, jiri@resnulli.us,
davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, elibr@mellanox.com, yifanwucs@gmail.com,
tomapufckgml@gmail.com, yuantan098@gmail.com, bird@lzu.edu.cn,
enjou1224z@gmail.com, caoruide123@gmail.com
Subject: Re: [PATCH net 1/1] net: sched: act_csum: validate nested VLAN headers
Date: Fri, 3 Apr 2026 17:26:23 +0100 [thread overview]
Message-ID: <20260403162623.GP113102@horms.kernel.org> (raw)
In-Reply-To: <22df2fcb49f410203eafa5d97963dd36089f4ecf.1774892775.git.caoruide123@gmail.com>
On Thu, Apr 02, 2026 at 10:46:20PM +0800, Ren Wei wrote:
> From: Ruide Cao <caoruide123@gmail.com>
>
> tcf_csum_act() walks nested VLAN headers directly from skb->data when an
> skb still carries in-payload VLAN tags. The current code reads
> vlan->h_vlan_encapsulated_proto and then pulls VLAN_HLEN bytes without
> first ensuring that the full VLAN header is present in the linear area.
>
> If only part of an inner VLAN header is linearized, accessing
> h_vlan_encapsulated_proto reads past the linear area, and the following
> skb_pull(VLAN_HLEN) may violate skb invariants.
>
> Fix this by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and
> pulling each nested VLAN header. If the header still is not fully
> available, drop the packet through the existing error path.
>
> Fixes: 2ecba2d1e45b ("net: sched: act_csum: Fix csum calc for tagged packets")
> Reported-by: Yifan Wu <yifanwucs@gmail.com>
> Reported-by: Juefei Pu <tomapufckgml@gmail.com>
> Co-developed-by: Yuan Tan <yuantan098@gmail.com>
> Signed-off-by: Yuan Tan <yuantan098@gmail.com>
> Suggested-by: Xin Liu <bird@lzu.edu.cn>
> Tested-by: Ren Wei <enjou1224z@gmail.com>
> Signed-off-by: Ruide Cao <caoruide123@gmail.com>
> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
next prev parent reply other threads:[~2026-04-03 16:26 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <cover.1774892775.git.caoruide123@gmail.com>
2026-04-02 14:46 ` [PATCH net 1/1] net: sched: act_csum: validate nested VLAN headers Ren Wei
2026-04-03 16:26 ` Simon Horman [this message]
2026-04-03 22:00 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260403162623.GP113102@horms.kernel.org \
--to=horms@kernel.org \
--cc=bird@lzu.edu.cn \
--cc=caoruide123@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=elibr@mellanox.com \
--cc=enjou1224z@gmail.com \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=n05ec@lzu.edu.cn \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=tomapufckgml@gmail.com \
--cc=yifanwucs@gmail.com \
--cc=yuantan098@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.