From: David Carlier <devnexen@gmail.com>
To: netdev@vger.kernel.org
Cc: David Carlier <devnexen@gmail.com>,
Claude <noreply@anthropic.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>, Kees Cook <kees@kernel.org>,
Thomas Gleixner <tglx@kernel.org>,
Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>,
Ingo Molnar <mingo@kernel.org>,
linux-kernel@vger.kernel.org
Subject: [PATCH] net: garp: reload skb header pointers after pskb_may_pull()
Date: Thu, 4 Jun 2026 15:19:22 +0100 [thread overview]
Message-ID: <20260604141925.237746-1-devnexen@gmail.com> (raw)
garp_pdu_parse_attr() keeps a pointer into the skb linear area across
pskb_may_pull(skb, ga->len), and garp_pdu_parse_msg() dereferences gm
on every loop iteration even though the nested parse may pull again.
pskb_may_pull() can reallocate the skb head, which would leave those
pointers stale.
This is not reachable today: GARP PDUs arrive via the 802.2 LLC SAP
path, where llc_fixup_skb() already pulls and trims the whole payload
into the linear area, so the inner pulls never reallocate. Reload ga
after the pull and snapshot gm->attrtype into a local anyway, to harden
the parser and match the skb_header_pointer() discipline used by mrp.c.
No functional change.
Assisted-by: Claude <noreply@anthropic.com>
Signed-off-by: David Carlier <devnexen@gmail.com>
---
net/802/garp.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/802/garp.c b/net/802/garp.c
index c7a39f298ad6..56b934ec1aae 100644
--- a/net/802/garp.c
+++ b/net/802/garp.c
@@ -452,6 +452,7 @@ static int garp_pdu_parse_attr(struct garp_applicant *app, struct sk_buff *skb,
if (!pskb_may_pull(skb, ga->len))
return -1;
+ ga = (struct garp_attr_hdr *)skb->data;
skb_pull(skb, ga->len);
dlen = ga->len - sizeof(*ga);
@@ -492,6 +493,7 @@ static int garp_pdu_parse_attr(struct garp_applicant *app, struct sk_buff *skb,
static int garp_pdu_parse_msg(struct garp_applicant *app, struct sk_buff *skb)
{
const struct garp_msg_hdr *gm;
+ u8 attrtype;
if (!pskb_may_pull(skb, sizeof(*gm)))
return -1;
@@ -499,9 +501,10 @@ static int garp_pdu_parse_msg(struct garp_applicant *app, struct sk_buff *skb)
if (gm->attrtype == 0)
return -1;
skb_pull(skb, sizeof(*gm));
+ attrtype = gm->attrtype;
while (skb->len > 0) {
- if (garp_pdu_parse_attr(app, skb, gm->attrtype) < 0)
+ if (garp_pdu_parse_attr(app, skb, attrtype) < 0)
return -1;
if (garp_pdu_parse_end_mark(skb) < 0)
break;
--
2.53.0
reply other threads:[~2026-06-04 14:19 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260604141925.237746-1-devnexen@gmail.com \
--to=devnexen@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kees@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=noreply@anthropic.com \
--cc=pabeni@redhat.com \
--cc=tglx@kernel.org \
--cc=zhaoyz24@mails.tsinghua.edu.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.