From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
To: David Carlier <devnexen@gmail.com>,
daniel.zahka@gmail.com, kuba@kernel.org
Cc: willemdebruijn.kernel@gmail.com, davem@davemloft.net,
edumazet@google.com, pabeni@redhat.com, horms@kernel.org,
raeds@nvidia.com, kees@kernel.org, cratiu@nvidia.com,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
David Carlier <devnexen@gmail.com>,
stable@vger.kernel.org
Subject: Re: [PATCH net v2] psp: strip variable-length PSP header in psp_dev_rcv()
Date: Fri, 01 May 2026 09:53:24 -0400 [thread overview]
Message-ID: <willemdebruijn.kernel.f160423d0db@gmail.com> (raw)
In-Reply-To: <20260501130046.16008-1-devnexen@gmail.com>
David Carlier wrote:
> psp_dev_rcv() unconditionally removes a fixed PSP_ENCAP_HLEN, even
> when psph->hdrlen indicates that the PSP header carries optional
> fields. A frame whose PSP header advertises a non-zero VC or any
> extension would therefore be silently mis-decapsulated: option bytes
> would spill into the inner packet head and downstream parsing would
> fail on a corrupted skb.
>
> Compute the full PSP header length from psph->hdrlen, pull the
> optional bytes into the linear region, and strip the whole header
> when decapsulating. Optional fields (VC, ...) are still ignored,
> just discarded with the rest of the header instead of leaking.
> crypt_offset and the VIRT flag are intentionally not validated here
> - callers know their device's PSP implementation and can decide.
>
> Both in-tree callers gate on hardware-validated PSP, so this is a
> correctness fix rather than a reachable corruption path under
> current configurations.
>
> Fixes: 0eddb8023cee ("psp: provide decapsulation and receive helper for drivers")
> Suggested-by: Daniel Zahka <daniel.zahka@gmail.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: David Carlier <devnexen@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
next prev parent reply other threads:[~2026-05-01 13:53 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-30 6:20 [PATCH] psp: reject packets carrying unsupported PSP optional fields David Carlier
2026-04-30 10:32 ` Daniel Zahka
2026-04-30 10:59 ` David CARLIER
2026-05-01 13:00 ` [PATCH net v2] psp: strip variable-length PSP header in psp_dev_rcv() David Carlier
2026-05-01 13:53 ` Willem de Bruijn [this message]
2026-05-01 14:13 ` Daniel Zahka
2026-05-01 14:39 ` David CARLIER
2026-05-02 0:00 ` Jakub Kicinski
2026-05-02 0:00 ` Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=willemdebruijn.kernel.f160423d0db@gmail.com \
--to=willemdebruijn.kernel@gmail.com \
--cc=cratiu@nvidia.com \
--cc=daniel.zahka@gmail.com \
--cc=davem@davemloft.net \
--cc=devnexen@gmail.com \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kees@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=raeds@nvidia.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.