Re: [PATCH 1/1] netfilter: ip6t_eui64: validate MAC header before using it

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Ren Wei <n05ec@lzu.edu.cn>
Cc: netfilter-devel@vger.kernel.org, pablo@netfilter.org,
	phil@nwl.cc, yifanwucs@gmail.com, tomapufckgml@gmail.com,
	yuantan098@gmail.com, bird@lzu.edu.cn, enjou1224z@gmail.com,
	zcliangcn@gmail.com
Subject: Re: [PATCH 1/1] netfilter: ip6t_eui64: validate MAC header before using it
Date: Wed, 1 Apr 2026 21:14:57 +0200	[thread overview]
Message-ID: <ac1uqcDxsmmQ-oxH@strlen.de> (raw)
In-Reply-To: <acus9gpd-oKl_6dg@strlen.de>

[ Trimming Cc list ]

Florian Westphal <fw@strlen.de> wrote:
> Florian Westphal <fw@strlen.de> wrote:
> > Ren Wei <n05ec@lzu.edu.cn> wrote:
> > > From: Zhengchuan Liang <zcliangcn@gmail.com>
> > > 
> > > `eui64_mt6()` derives a modified EUI-64 from the Ethernet source
> > > address and compares it with the low 64 bits of the IPv6 source
> > > address.
> > > 
> > > The match unconditionally reaches `skb_mac_header()` and `eth_hdr(skb)`
> > > after a guard that only rejects an invalid MAC header when
> > > `par->fragoff != 0`. As a result, non-fragment packets can still reach
> > > `eth_hdr(skb)` even when the skb has no MAC header set, or when the MAC
> > > header does not cover a full Ethernet header.
> > > 
> > > Fix this by first checking that the MAC header is set and spans a full
> > > Ethernet header before accessing it, then using that validated header
> > > directly for the EUI-64 comparison. Preserve the existing hotdrop
> > > behavior for non-first fragments with an invalid MAC header.
> > 
> > I find this rather confusing.  E.g. why is net/netfilter/xt_mac.c safe?
> > I get the feeling that this patch is not sufficient?
> > 
> > > +	if (!skb_mac_header_was_set(skb)) {
> > 
> > Makes sense to me.
> > 
> > > +	mac = skb_mac_header(skb);
> > > +	if (mac < skb->head || mac + ETH_HLEN > skb->data) {
> > > +		if (par->fragoff != 0)
> > > +			par->hotdrop = true;
> > > +		return false;
> > 
> > Why do we still need this stunt?  Why not:
> > 
> > mac_len = skb_mac_header_len(skb);
> > if (mac_len < ETH_HLEN) {
> > 	par->hotdrop = true;
> > 	return false;
> > }
> > 
> > ?
> > 
> > I also feel there should be a check for ethernet, i.e.
> >         if (skb->dev == NULL || skb->dev->type != ARPHRD_ETHER)
> > 
> > ... like in xt_mac.c.
> 
> There are other suspicious spots, e.g. in nf_log_syslog.c and in ipset.
> 
> Will you make a patch to cover all of these?

Ping.  Will you followup or do you expect us to take over?

next prev parent reply	other threads:[~2026-04-01 19:15 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <cover.1774859629.git.zcliangcn@gmail.com>
2026-03-31  7:34 ` [PATCH 1/1] netfilter: ip6t_eui64: validate MAC header before using it Ren Wei
2026-03-31  9:26   ` Florian Westphal
2026-03-31 11:16     ` Florian Westphal
2026-04-01 19:14       ` Florian Westphal [this message]
2026-04-01 20:18         ` Yuan Tan
2026-04-04  9:39 ` [PATCH nf v2 1/2] netfilter: ip6t_eui64: reject invalid MAC header for all packets Ren Wei
2026-04-04  9:39 ` [PATCH nf v2 2/2] netfilter: require Ethernet MAC header before using eth_hdr() Ren Wei

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ac1uqcDxsmmQ-oxH@strlen.de \
    --to=fw@strlen.de \
    --cc=bird@lzu.edu.cn \
    --cc=enjou1224z@gmail.com \
    --cc=n05ec@lzu.edu.cn \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=phil@nwl.cc \
    --cc=tomapufckgml@gmail.com \
    --cc=yifanwucs@gmail.com \
    --cc=yuantan098@gmail.com \
    --cc=zcliangcn@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.