From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com [209.85.221.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 41B9726B971 for ; Sat, 2 May 2026 14:19:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.45 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777731591; cv=none; b=VdR9RhQWrdijydLZDqBEPPbkwGTP1/78yNsJiFjzT39BWhKqClnAtFCe28B5TVS6XX7a6g4Sxw2i40PW8duavTnu+LD9GxsYI3diNgRNMvoqk8HaTjJADj4zgx5RclROKTJNte4V0qoBaWp6F3mKujXhji7o03qL4F6UY0ZyaeU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777731591; c=relaxed/simple; bh=k+AkJcSPR6GWTz3BEXN8/5jElc3fjNG4wrYl2Mb984o=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=HivWzXxi+8/CQPQB6cRX0hQMX2NhmMCUgHx87yy9cXL4OjAVmWVNZ/X4SlrOt7t55Uj31wFwLVxVocjW77M5/BS4ttUFoXytUbSRHBIQTKOOeJSIR/cjJUtDs6MQSwV90f6Tvlkcqh/YEE6JWgOBMsCr4kmJ5SeESRRN1F44lz0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=d2HU+sIs; arc=none smtp.client-ip=209.85.221.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="d2HU+sIs" Received: by mail-wr1-f45.google.com with SMTP id ffacd0b85a97d-43d7badbd7dso1228245f8f.2 for ; Sat, 02 May 2026 07:19:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777731589; x=1778336389; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=G+Xccp0tlIqEgZ2YXrZ9jc4pOkvj1KBEkw6Ll1vuHko=; b=d2HU+sIsZoZg9npnGPacoaM+MoqmTPfMdI/nO/UijPBT4o9RSvdUn/x4YiLD6aV/Fq 0Bx7iCgNNJ+wubn5i8Ke/nYn9YuWVJ//EYkzzqvsoUIxJ5bVrxGycTwuraGetBNBQT1+ Bios4ooy1v0FDnFqUpRtQGckt3E87eKeOAHpF9bo9FzHQpQylhdQTsqNSKABjOZpY17k 8oY6nL5AuX79v417fPKY+Y/kdS2qP6BGWNfH5cu5hjUZ21UU062GwSWQYB1o9b9Q9n0i BJZXYi3BnBWDABtGn+SQfLLiXtHeMXrwDvjWzKoLuBBXD5Bym05PyQBRZXrpgvl0XBPZ osWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777731589; x=1778336389; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=G+Xccp0tlIqEgZ2YXrZ9jc4pOkvj1KBEkw6Ll1vuHko=; b=EG5Fg5xgEJbhScVNPmBqhaaCPKialyWtjxDqvU2LhMc3LLXoSgUI3JS+LVUG9H8r8L DqjddeQ0Kw2rS8XiSXychjxC2hl+nlyhq/VTuKTvkXf9uwfF0KWGGmNVS1LbZmnfz/1h NSqJqZ/R8B+UI7W/QWsk1kdIzONr4//Sm2QlBExJcf9lYjkZYX+6Mtjkf5NdOd9iXWPJ uBwZp5LLSkNdUFrHX8TRgnUh18I/bJDxCieje/fxD6hQ8OA0HvMJRR7QiRpkHNyNCwmg +hfLTXSWnfc3IYgtPxnDNlRLRIajDLelfCwf8N2nkO5jprRy2jcTC9GxcC6HSReEljiy ekig== X-Forwarded-Encrypted: i=1; AFNElJ/J0fAtVwEnsNeqrKCHx94Woy4+T/Rf5h/V52sOuQWMAR4LnnMJ0hBwRRPF387ELl4T+AV6h4i1BUEpVKs=@vger.kernel.org X-Gm-Message-State: AOJu0Yz3rMrmpzyRCQ0OoHAP+gpiGHZfkZbS8E93wkA0sDcIvHckkz6z NktkHvarVvfIuJRwB5lPpI1fcPi+H1p102CGJFwxE8t9AX/gY4tgETuG X-Gm-Gg: AeBDieu7ygMb2+sRSHqeumbfeVhnPKp/jZU+Au7UT8PO/KKz4LOdI2WJnEbeHF1RaIS Qt7UAio19EoginaJ/bG7lG7tlNrNTXoMDmCn3L5RFuNThxKVZ55dVWkDQ6IAkbc6eBBIc8aE4cO C1cOs4PXG80MLQjuDwNp4B5kmRP0oSGSKsCv6ijx9BDIfNXg+TcJEQ4wYW6WIHTCxbw30dIF6f9 Q+H89B+4yF/g24JiQoq0ykUUjT4tDkMfwI+XXb7Joxr2A2U8Op0zgGowkSq1SGQXQKdE2N0UUvR +6QTsdWv7z8A0QZzoQW4P7uGEFqszaBuoSCCdL9zBuDgXu5ZqSjrcUdMaq7llDkOopYBQigsIG1 0nRw3jP0tNurIqS4NhyH3vTN0yWmow63buH2mJ29H5BwPlbPRlQnSYGIAtcqw/l0Gb6rrLXvsFV K+uJjx8srx76ZEWuSOXlc1/sqrjh6T2IE2kOu5vnlz510X/exsgxNq0EGBBploiMLMTx3XJg4ix 0xINYLiJTvpIqSnmFT58Q== X-Received: by 2002:a05:6000:61e:b0:43d:7b90:fa23 with SMTP id ffacd0b85a97d-44bb65df7c8mr5021767f8f.29.1777731588443; Sat, 02 May 2026 07:19:48 -0700 (PDT) Received: from dohko.chello.ie (188-141-5-72.dynamic.upc.ie. [188.141.5.72]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-44b638ac434sm8272788f8f.36.2026.05.02.07.19.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 02 May 2026 07:19:48 -0700 (PDT) From: David Carlier To: daniel.zahka@gmail.com, kuba@kernel.org Cc: willemdebruijn.kernel@gmail.com, davem@davemloft.net, edumazet@google.com, pabeni@redhat.com, horms@kernel.org, raeds@nvidia.com, kees@kernel.org, cratiu@nvidia.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, David Carlier , Willem de Bruijn , stable@vger.kernel.org Subject: [PATCH net v3] psp: strip variable-length PSP header in psp_dev_rcv() Date: Sat, 2 May 2026 15:19:45 +0100 Message-ID: <20260502141945.14484-1-devnexen@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit psp_dev_rcv() unconditionally removes a fixed PSP_ENCAP_HLEN, even when psph->hdrlen indicates that the PSP header carries optional fields. A frame whose PSP header advertises a non-zero VC or any extension would therefore be silently mis-decapsulated: option bytes would spill into the inner packet head and downstream parsing would fail on a corrupted skb. Compute the full PSP header length from psph->hdrlen, pull the optional bytes into the linear region, and strip the whole header when decapsulating. Optional fields (VC, ...) are still ignored, just discarded with the rest of the header instead of leaking. crypt_offset and the VIRT flag are intentionally not validated here - callers know their device's PSP implementation and can decide. Both in-tree callers gate on hardware-validated PSP, so this is a correctness fix rather than a reachable corruption path under current configurations. Fixes: 0eddb8023cee ("psp: provide decapsulation and receive helper for drivers") Reviewed-by: Willem de Bruijn Reviewed-by: Daniel Zahka Cc: stable@vger.kernel.org Signed-off-by: David Carlier --- v2 -> v3 (per Daniel Zahka): - drop Suggested-by trailer - rename psp_hdr_len -> psp_hlen, retype to int, fold onto the existing int declaration line to keep the reverse christmas tree - drop the (u32) cast on psph->hdrlen - no functional change; carry forward Reviewed-by tags from v2 net/psp/psp_main.c | 42 +++++++++++++++++++++++++++++++----------- 1 file changed, 31 insertions(+), 11 deletions(-) diff --git a/net/psp/psp_main.c b/net/psp/psp_main.c index 9508b6c38003..e45549f08eef 100644 --- a/net/psp/psp_main.c +++ b/net/psp/psp_main.c @@ -263,15 +263,16 @@ EXPORT_SYMBOL(psp_dev_encapsulate); /* Receive handler for PSP packets. * - * Presently it accepts only already-authenticated packets and does not - * support optional fields, such as virtualization cookies. The caller should - * ensure that skb->data is pointing to the mac header, and that skb->mac_len - * is set. This function does not currently adjust skb->csum (CHECKSUM_COMPLETE - * is not supported). + * Accepts only already-authenticated packets. The full PSP header is + * stripped according to psph->hdrlen; any optional fields it advertises + * (virtualization cookies, etc.) are ignored and discarded along with the + * rest of the header. The caller should ensure that skb->data is pointing + * to the mac header, and that skb->mac_len is set. This function does not + * currently adjust skb->csum (CHECKSUM_COMPLETE is not supported). */ int psp_dev_rcv(struct sk_buff *skb, u16 dev_id, u8 generation, bool strip_icv) { - int l2_hlen = 0, l3_hlen, encap; + int l2_hlen = 0, l3_hlen, encap, psp_hlen; struct psp_skb_ext *pse; struct psphdr *psph; struct ethhdr *eth; @@ -312,18 +313,36 @@ int psp_dev_rcv(struct sk_buff *skb, u16 dev_id, u8 generation, bool strip_icv) if (unlikely(uh->dest != htons(PSP_DEFAULT_UDP_PORT))) return -EINVAL; - pse = skb_ext_add(skb, SKB_EXT_PSP); - if (!pse) + psph = (struct psphdr *)(skb->data + l2_hlen + l3_hlen + + sizeof(struct udphdr)); + + /* Strip the full PSP header per psph->hdrlen; VC/options are pulled + * into the linear region only so they can be discarded with the + * rest of the header. + */ + psp_hlen = (psph->hdrlen + 1) * 8; + + if (unlikely(psp_hlen < sizeof(struct psphdr))) + return -EINVAL; + + if (psp_hlen > sizeof(struct psphdr) && + !pskb_may_pull(skb, l2_hlen + l3_hlen + + sizeof(struct udphdr) + psp_hlen)) return -EINVAL; psph = (struct psphdr *)(skb->data + l2_hlen + l3_hlen + sizeof(struct udphdr)); + + pse = skb_ext_add(skb, SKB_EXT_PSP); + if (!pse) + return -EINVAL; + pse->spi = psph->spi; pse->dev_id = dev_id; pse->generation = generation; pse->version = FIELD_GET(PSPHDR_VERFL_VERSION, psph->verfl); - encap = PSP_ENCAP_HLEN; + encap = sizeof(struct udphdr) + psp_hlen; encap += strip_icv ? PSP_TRL_SIZE : 0; if (proto == htons(ETH_P_IP)) { @@ -340,8 +359,9 @@ int psp_dev_rcv(struct sk_buff *skb, u16 dev_id, u8 generation, bool strip_icv) ipv6h->payload_len = htons(ntohs(ipv6h->payload_len) - encap); } - memmove(skb->data + PSP_ENCAP_HLEN, skb->data, l2_hlen + l3_hlen); - skb_pull(skb, PSP_ENCAP_HLEN); + memmove(skb->data + sizeof(struct udphdr) + psp_hlen, + skb->data, l2_hlen + l3_hlen); + skb_pull(skb, sizeof(struct udphdr) + psp_hlen); if (strip_icv) pskb_trim(skb, skb->len - PSP_TRL_SIZE); -- 2.53.0