[PATCH 1/2] net: ife: require ETH_HLEN to be pullable in ife

Netdev List
 help / color / mirror / Atom feed

* [PATCH 1/2] net: ife: require ETH_HLEN to be pullable in ife_decode()
       [not found] <20260610183814.1648888-1-n05ec@lzu.edu.cn>
@ 2026-06-10 18:37 ` Ren Wei
  2026-06-14  0:50   ` patchwork-bot+netdevbpf
  2026-06-10 18:37 ` [PATCH 2/2] selftests/tc-testing: Verify IFE can handle truncated inner Ethernet header Ren Wei
  1 sibling, 1 reply; 3+ messages in thread
From: Ren Wei @ 2026-06-10 18:37 UTC (permalink / raw)
  To: netdev
  Cc: yotam.gi, jhs, davem, xiyou.wangcong, kuba, victor, yuantan098,
	bird, edragain, n05ec

From: Yong Wang <edragain@163.com>

ife decode may return after making only the outer IFE header and
metadata pullable. The caller then passes the decapsulated packet to
eth_type_trans(), which expects the inner Ethernet header to be
accessible from the linear data area.

With a malformed IFE frame, the inner Ethernet header may still be
shorter than ETH_HLEN in the linear area, which can lead to a crash in
the original code.

Fix this by extending the pull check in ife_decode() so that the inner
Ethernet header is also guaranteed to be pullable before returning.

Fixes: ef6980b6becb ("introduce IFE action")
Cc: stable@vger.kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Assisted-by: Codex:gpt-5.4
Signed-off-by: Yong Wang <edragain@163.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
---
 net/ife/ife.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ife/ife.c b/net/ife/ife.c
index be05b690b9ef..7a75947a31e3 100644
--- a/net/ife/ife.c
+++ b/net/ife/ife.c
@@ -79,7 +79,7 @@ void *ife_decode(struct sk_buff *skb, u16 *metalen)
 	if (unlikely(ifehdrln < 2))
 		return NULL;
 
-	if (unlikely(!pskb_may_pull(skb, total_pull)))
+	if (unlikely(!pskb_may_pull(skb, total_pull + ETH_HLEN)))
 		return NULL;
 
 	ifehdr = (struct ifeheadr *)(skb->data + skb->dev->hard_header_len);
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH 1/2] net: ife: require ETH_HLEN to be pullable in ife_decode()
  2026-06-10 18:37 ` [PATCH 1/2] net: ife: require ETH_HLEN to be pullable in ife_decode() Ren Wei
@ 2026-06-14  0:50   ` patchwork-bot+netdevbpf
  0 siblings, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-06-14  0:50 UTC (permalink / raw)
  To: Ren Wei
  Cc: netdev, yotam.gi, jhs, davem, xiyou.wangcong, kuba, victor,
	yuantan098, bird, edragain

Hello:

This series was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Thu, 11 Jun 2026 02:37:43 +0800 you wrote:
> From: Yong Wang <edragain@163.com>
> 
> ife decode may return after making only the outer IFE header and
> metadata pullable. The caller then passes the decapsulated packet to
> eth_type_trans(), which expects the inner Ethernet header to be
> accessible from the linear data area.
> 
> [...]

Here is the summary with links:
  - [1/2] net: ife: require ETH_HLEN to be pullable in ife_decode()
    https://git.kernel.org/netdev/net/c/9406f6012b73
  - [2/2] selftests/tc-testing: Verify IFE can handle truncated inner Ethernet header
    https://git.kernel.org/netdev/net/c/a4004aa0debf

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH 2/2] selftests/tc-testing: Verify IFE can handle truncated inner Ethernet header
       [not found] <20260610183814.1648888-1-n05ec@lzu.edu.cn>
  2026-06-10 18:37 ` [PATCH 1/2] net: ife: require ETH_HLEN to be pullable in ife_decode() Ren Wei
@ 2026-06-10 18:37 ` Ren Wei
  1 sibling, 0 replies; 3+ messages in thread
From: Ren Wei @ 2026-06-10 18:37 UTC (permalink / raw)
  To: netdev, linux-kselftest, linux-kernel
  Cc: yotam.gi, jhs, davem, xiyou.wangcong, victor, kuba, yuantan098,
	bird, edragain, n05ec

From: Victor Nogueira <victor@mojatatu.com>

Add a tdc test that exercises the act_ife decode path with a malformed
IFE packet whose encapsulated inner Ethernet header is truncated.

The injected frame has a valid outer Ethernet header (ethertype 0xED3E)
and a minimal IFE header (metalen 2, i.e. no metadata TLVs), but the
payload that should hold the original frame is a single byte instead of
a full Ethernet header. Once ife_decode() strips the outer header and
the IFE metadata, fewer than ETH_HLEN bytes are left, which previously
let eth_type_trans() read past the end of the linear data.

Signed-off-by: Victor Nogueira <victor@mojatatu.com>
---
 .../tc-testing/tc-tests/actions/ife.json      | 55 +++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/tools/testing/selftests/tc-testing/tc-tests/actions/ife.json b/tools/testing/selftests/tc-testing/tc-tests/actions/ife.json
index 808aef4afe22..ece7ec41bf99 100644
--- a/tools/testing/selftests/tc-testing/tc-tests/actions/ife.json
+++ b/tools/testing/selftests/tc-testing/tc-tests/actions/ife.json
@@ -1378,5 +1378,60 @@
         "teardown": [
             "$TC actions flush action ife"
         ]
+    },
+    {
+        "id": "4e6b",
+        "name": "Decode IFE packet with truncated inner Ethernet header",
+        "category": [
+            "actions",
+            "ife"
+        ],
+        "plugins": {
+            "requires": [
+                "nsPlugin",
+                "scapyPlugin"
+            ]
+        },
+        "setup": [
+            [
+                "$TC actions flush action ife",
+                0,
+                1,
+                255
+            ],
+            "$TC qdisc add dev $DEV1 clsact"
+        ],
+        "scapy": [
+            {
+                "iface": "$DEV0",
+                "count": 1,
+                "packet": "Ether(type=0xED3E) / Raw(b'\\x00\\x02\\xaa')"
+            }
+        ],
+        "cmdUnderTest": "$TC filter add dev $DEV1 ingress protocol all matchall action ife decode pipe index 10",
+        "expExitCode": "0",
+        "verifyCmd": "$TC -s -j actions get action ife index 10",
+        "matchJSON": [
+            {
+              "total acts": 0
+            },
+            {
+              "actions": [
+                  {
+                      "kind": "ife",
+                      "mode": "decode",
+                      "index": 10,
+                      "stats": {
+                          "bytes": 3,
+                          "packets": 1,
+                          "drops": 1
+                      }
+                  }
+              ]
+            }
+        ],
+        "teardown": [
+            "$TC qdisc del dev $DEV1 clsact"
+        ]
     }
 ]
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-06-14  0:50 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20260610183814.1648888-1-n05ec@lzu.edu.cn>
2026-06-10 18:37 ` [PATCH 1/2] net: ife: require ETH_HLEN to be pullable in ife_decode() Ren Wei
2026-06-14  0:50   ` patchwork-bot+netdevbpf
2026-06-10 18:37 ` [PATCH 2/2] selftests/tc-testing: Verify IFE can handle truncated inner Ethernet header Ren Wei

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox