From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: Jakub Kicinski <kuba@kernel.org>,
netdev@vger.kernel.org, Paolo Abeni <pabeni@redhat.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
netfilter-devel@vger.kernel.org
Subject: Re: [PATCH net-next 00/11] netfilter: updates for net-next
Date: Sun, 12 Apr 2026 20:58:24 +0200 [thread overview]
Message-ID: <advrUCdRWruZt2ud@chamomile> (raw)
In-Reply-To: <advTosG9qZ_ZW355@strlen.de>
On Sun, Apr 12, 2026 at 07:17:22PM +0200, Florian Westphal wrote:
> Florian Westphal <fw@strlen.de> wrote:
> > Jakub Kicinski <kuba@kernel.org> wrote:
> > https://sashiko.dev/#/patchset/20260410112352.23599-1-fw%40strlen.de
>
> Forgot to mention this:
>
> ---------------
> AF_PACKET raw sockets or tun devices, the network_header might be
> uninitialized (~0U). In this state, skb_mac_header_len() will evaluate to
> a very large number, bypassing the ETH_HLEN check completely.
> ---------------
>
> Really? TIL.
>
> ---------------------
> Furthermore, skb_mac_header_len() only verifies the logical distance between
> header offsets, rather than ensuring the bytes are actually present in the
> physical linear buffer.
>
> ---------------
>
> Really? Total news to me :-(
No problem, taking a look into this.
next prev parent reply other threads:[~2026-04-12 18:58 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-10 11:23 [PATCH net-next 00/11] netfilter: updates for net-next Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 01/11] ipvs: show the current conn_tab size to users Florian Westphal
2026-04-12 18:00 ` patchwork-bot+netdevbpf
2026-04-10 11:23 ` [PATCH net-next 02/11] ipvs: add ip_vs_status info Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 03/11] ipvs: add conn_lfactor and svc_lfactor sysctl vars Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 04/11] netfilter: x_physdev: reject empty or not-nul terminated device names Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 05/11] netfilter: nfnetlink: prefer skb_mac_header helpers Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 06/11] netfilter: xt_HL: add pr_fmt and checkentry validation Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 07/11] netfilter: xt_socket: enable defrag after all other checks Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 08/11] netfilter: conntrack: remove UDP-Lite conntrack support Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 09/11] netfilter: x_tables: Avoid a couple -Wflex-array-member-not-at-end warnings Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 10/11] netfilter: nft_fwd_netdev: check ttl/hl before forwarding Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 11/11] netfilter: require Ethernet MAC header before using eth_hdr() Florian Westphal
2026-04-12 16:40 ` [PATCH net-next 00/11] netfilter: updates for net-next Jakub Kicinski
2026-04-12 16:54 ` Florian Westphal
2026-04-12 17:17 ` Florian Westphal
2026-04-12 18:58 ` Pablo Neira Ayuso [this message]
2026-04-12 17:53 ` Jakub Kicinski
2026-04-12 18:07 ` Julian Anastasov
-- strict thread matches above, loose matches on Subject: below --
2026-02-05 11:08 Florian Westphal
2026-02-06 12:41 ` Florian Westphal
2024-11-06 23:46 [PATCH net-next 00/11] Netfilter " Pablo Neira Ayuso
2024-11-07 0:19 ` Jakub Kicinski
2024-11-07 7:08 ` Florian Westphal
2024-11-07 20:48 ` Jakub Kicinski
2024-11-07 21:07 ` Florian Westphal
2024-11-07 21:09 ` Eric Dumazet
2022-05-19 22:01 Pablo Neira Ayuso
2022-04-11 10:27 Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=advrUCdRWruZt2ud@chamomile \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.