From: Qingfang Deng <qingfang.deng@linux.dev>
To: Jakub Kicinski <kuba@kernel.org>
Cc: linux-ppp@vger.kernel.org, andrew+netdev@lunn.ch,
davem@davemloft.net, edumazet@google.com, pabeni@redhat.com,
hataegu0826@gmail.com, horms@kernel.org, kees@kernel.org,
kuniyu@google.com, bigeasy@linutronix.de, gnault@redhat.com,
ericwouds@gmail.com, semen.protsenko@linaro.org,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
paulus@ozlabs.org, jaco@uls.co.za, carlsonj@workingcode.com,
wojciech.drewek@intel.com, marcin.szycik@linux.intel.com
Subject: Re: [PATCH net v6 2/2] pppoe: drop PFC frames
Date: Sun, 19 Apr 2026 15:53:36 +0800 [thread overview]
Message-ID: <50806e49-c3a1-4188-bd73-85e0ad688ebf@linux.dev> (raw)
In-Reply-To: <20260418191145.213625-1-kuba@kernel.org>
Hi,
On 4/19/2026 3:11 AM, Jakub Kicinski wrote:
> [ ... ]
>> @@ -434,6 +434,12 @@ static int pppoe_rcv(struct sk_buff *skb, struct net_device *dev,
>> if (skb->len < len)
>> goto drop;
>>
>> + /* skb->data points to the PPP protocol header after skb_pull_rcsum.
>> + * Drop PFC frames.
>> + */
>> + if (ppp_skb_is_compressed_proto(skb))
>
> Does this code safely access the PPP protocol byte?
>
> After pulling the PPPoE header, skb->data points to the inner payload.
> However, the new ppp_skb_is_compressed_proto() helper unconditionally
> dereferences skb->data[0].
>
> If a crafted PPPoE packet is received with an inner length of 0 and no
> Ethernet padding, the linear buffer might end exactly after the PPPoE header.
> In that scenario, this would read past the allocated linear buffer.
>
> Even if the inner length is greater than 0, could the payload reside entirely
> in non-linear paged fragments, causing an out-of-bounds read?
>
> Would it be safer to verify the packet has at least 1 byte and use
> pskb_may_pull() to ensure the protocol byte is in the linear region before
> inspecting it, perhaps after the pskb_trim_rcsum() call?
I already updated the pskb_may_pull() above, from struct pppoe_hdr (6)
to PPPOE_SES_HLEN (8), to ensure that.
Regards,
Qingfang
next prev parent reply other threads:[~2026-04-19 7:54 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-15 2:24 [PATCH net v6 1/2] flow_dissector: do not dissect PPPoE PFC frames Qingfang Deng
2026-04-15 2:24 ` [PATCH net v6 2/2] pppoe: drop " Qingfang Deng
2026-04-18 19:11 ` Jakub Kicinski
2026-04-19 7:53 ` Qingfang Deng [this message]
2026-04-15 13:42 ` [PATCH net v6 1/2] flow_dissector: do not dissect PPPoE " Qingfang Deng
2026-04-16 16:17 ` Jakub Kicinski
2026-04-20 21:59 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50806e49-c3a1-4188-bd73-85e0ad688ebf@linux.dev \
--to=qingfang.deng@linux.dev \
--cc=andrew+netdev@lunn.ch \
--cc=bigeasy@linutronix.de \
--cc=carlsonj@workingcode.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=ericwouds@gmail.com \
--cc=gnault@redhat.com \
--cc=hataegu0826@gmail.com \
--cc=horms@kernel.org \
--cc=jaco@uls.co.za \
--cc=kees@kernel.org \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-ppp@vger.kernel.org \
--cc=marcin.szycik@linux.intel.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=paulus@ozlabs.org \
--cc=semen.protsenko@linaro.org \
--cc=wojciech.drewek@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox