From: Rafal Bilkowski <rafalbilkowski@gmail.com>
To: netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, dsahern@kernel.org,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
Rafal Bilkowski <rafalbilkowski@gmail.com>
Subject: [PATCH] net: ipv6: sanitize RPL SRH cmpre/cmpre fields to fix taint issue
Date: Sat, 24 May 2025 07:51:59 +0200 [thread overview]
Message-ID: <20250524055159.32982-1-rafalbilkowski@gmail.com> (raw)
Coverity flagged that the cmpre and cmpri fields in
struct ipv6_rpl_sr_hdr are used without proper bounds checking,
which may allow tainted values to be used as offsets or divisors,
potentially leading to out-of-bounds access or division by zero.
This patch adds explicit range checks for cmpre and cmpri before
using them, ensuring they are within the valid range (0-15) and
cmpri is non-zero. Coverity was run loccaly
Fixes: ("Untrusted value as argument (TAINTED_SCALAR)")
Signed-off-by: Rafal Bilkowski <rafalbilkowski@gmail.com>
---
net/ipv6/exthdrs.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
index 02e9ffb63af1..9646738cb872 100644
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -504,6 +504,15 @@ static int ipv6_rpl_srh_rcv(struct sk_buff *skb)
}
looped_back:
+
+ if (!pskb_may_pull(skb, skb_transport_offset(skb) + sizeof(struct ipv6_rpl_sr_hdr)))
+ goto error;
+ // Check if there is enough memory available for the header and hdrlen is in valid range
+ if (skb_tailroom(skb) < ((hdr->hdrlen + 1) << 3) ||
+ hdr->hdrlen == 0 ||
+ hdr->hdrlen > U8_MAX)
+ goto error;
+
hdr = (struct ipv6_rpl_sr_hdr *)skb_transport_header(skb);
if (hdr->segments_left == 0) {
@@ -534,7 +543,18 @@ static int ipv6_rpl_srh_rcv(struct sk_buff *skb)
return 1;
}
+ // Check if cmpri and cmpre are valid and do not exceed 15
+ if (hdr->cmpri > 15 || hdr->cmpre > 15)
+ goto error;
+ // Check if pad value is valid and does not exceed 15
+ if (hdr->pad > 15)
+ goto error;
+
n = (hdr->hdrlen << 3) - hdr->pad - (16 - hdr->cmpre);
+ // Check if n is non-negative
+ if (n <= 0)
+ goto error;
+
r = do_div(n, (16 - hdr->cmpri));
/* checks if calculation was without remainder and n fits into
* unsigned char which is segments_left field. Should not be
@@ -638,6 +658,9 @@ static int ipv6_rpl_srh_rcv(struct sk_buff *skb)
dst_input(skb);
return -1;
+
+error:
+ return -1;
}
/********************************
--
2.43.0
next reply other threads:[~2025-05-24 5:52 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-24 5:51 Rafal Bilkowski [this message]
2025-05-24 14:18 ` [PATCH] net: ipv6: sanitize RPL SRH cmpre/cmpre fields to fix taint issue Willem de Bruijn
2025-05-26 6:36 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250524055159.32982-1-rafalbilkowski@gmail.com \
--to=rafalbilkowski@gmail.com \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).